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Chapter 1 

INTRODUCTION 



1. DESIGN FLOW 

Integrated circuit (IC) complexity is steadily increasing. ICs 
incorporating hundreds of millions of transistors, mega-bit memories, 
complicated pipelined structures, etc., are now in high demand. For example, 
Intel Itanium II processor contains more than 200 million transistors, 
including a 3 MB third level cache. A billion transistor IC was said to be 
“imminently doable” by Intel fellow J. Crawford at Microprocessor Forum 
in October 2002 [40], Obviously, designing such complex circuits poses real 
challenges to engineers. Certainly, no relief comes from the competitive 
marketplace, with increasing demands for a very narrow window of time 
(time-to-market) in engineering a ready product. Therefore, a systematic and 
well-structured approach to designing ICs is a must. 

Although there are no widely adhered standards for a design flow, most 
companies have their own estabhshed practices, which they follow closely 
for in-house design processes. In general, however, a typical product cycle 
includes few milestones. An idea for a new product starts usually from an in- 
depth market analysis of customer needs. Once a window of opportunity is 
found, product requirements are carefully specified. Ideally, these 
parameters would not change during the design process. In practice, initial 
phases of preparing a design specification are susceptible to potential errors, 
as it is very difficult to grasp all the details in a complex design. 
Additionally, as design cycles are shrinking, the whole design process is 
bound to become ever more prone to errors and specification changes [18]. 
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Figure 1 -.Design Flow Overview 

Specifications are often prepared by a team led by product managers. The 
ways in which design tasks are divided and carried out depend on company 
practices, resources and the experience of a design team. General trends, 
however, are to start with the behavioral modeling. For that purpose, initial 
algorithms are represented in hardware description languages (HDLs) like 
VHDL or Verilog, or even in higher abstraction languages, like SystemC. 
The correctness at this stage is checked by the comparison to the 
specification. 

After the behavioral model has been verified, the design is partitioned 
into smaller, more refined blocks. Whenever possible, these blocks are 
represented by intellectual property (IP) cores, while remaining elements are 
modeled using structural HDL or schematic capture. Figure 1. Once the 
design functionality and estimated performance is satisfactory, the circuit is 
synthesized. During the synthesis process, various automated minimization 
steps take place. Sometimes, it is necessary to perform manual 
modifications, mainly to introduce design-for-test features, including scan, 
boundary scan, test point insertion and built-in self-test (BIST). This stage 
of a design flow is illustrated by the central part of Figure 1. Finally, after 
satisfying timing, area, power and other criteria, a layout is prepared for 
fabrication, the rightmost part of Figure 1. 
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Checking the correctness of a design at various stages of a design 
process, bottom of Figure 1, is crucial. However, it appears that verification 
at different stages is often an ad hoc process. Paradoxically, the reason is 
often lack of time. As the following industrial example [118] illustrates, 
verification takes over 60% of the overall time, and the number of 
verification engineers should double that of designers. However, not 
catching an error on time, proves to be much more costly - the famous 
Pentium bug is the perfect illustration. 

Figure 2, cited from [118] shows the breakdown in the workload required 
for design and verification invested into producing three large-scale ASIC 
designs. 



Extended Simuiations 
11 % 

System Simulations 
2% 



ASIC Testbenches 
23% 



Equivalence 

Check _ , 

2^ Emulation Support 
8% 



Behavioral Modeing 
11 % 




Emulation Software 
8 % 



High Level Design 
4% 



RTL andBlockTest 
20 % 



Synthesis 

Timing ' 

Ana^sis LDFT 
8% 1% 



Figure 2:Breakdown of the Design and Verification Efforts 

As seen from the above example, time spent on verification at various 
stages of a design process is significant. Complexity of the task requires 
highly trained personnel. Therefore, there is an obvious need for the 
systematic approach to verification, as well as for simpler, fully automated 
tools that can verify designs at different levels of abstraction and share 
verification information within design flow, such that the verification effort 
is minimized. In this book we address these issues. 

A verification plan is a schedule of all tasks undertaken by the 
verification team throughout the design process. The plan can be fully 
written after the exact specification is completed - only then it is clear what 
is to be verified, when and how the blocks will be incorporated, and what are 
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the overall time, space and power requirements. A verification plan starts by 
identifying all blocks to be verified and by prioritizing verification tasks. 
There are no golden rules on how to achieve this partition. Often, critical 
are: design structure, confidence of an engineer in his/her abilities, as well as 
the inter-company requirements for final products. 

The next step is to identify how and what should be verified in the sub- 
blocks. It is often not feasible to fully verify all blocks; therefore, some 
compromises must be made. Certain elements are must-have features - they 
must be correct for the normal functionality of a system, while others are 
should-have features, which are only enhancements. Once the priority is 
established, the final step is to determine when and how a given sub-block 
will be verified. At this point, it must be clear which parts should be verified 
through simulation-based methods, how many testbenches are required, and 
which elements will be approached through formal methods. 



2. VERIFICATION - APPROACHES AND 
PROBLEMS 

Checking the correctness is the most difficult aspect of the design 
process. In practice, verification of any substantial circuit is almost never 
completed, as it can never be stated with a certainty that the given circuit is 
fully correct - we can only show the presence of an error rather than its 
absence. 

Little tolerance for hardware enors imposes strict quality standards. For 
example, in the aerospace industry it is a common practice to duplicate the 
verification effort by assigning more than one engineer to the same task. 
This duplication increases chances of catching an error as early as possible. 
Since errors found late in a design process can be potentially very costly, 
early detection is obviously critical. 

The impact of verification on a design process should be even larger than 
that of testing for manufacturing faults. In the latter case, most circuits are 
built in compliance with design for testability (DFT) rules. DFT provides 
guidance for inserting of testing features such as: Built-in Self Test (BIST) 
for embedded memories and datapath elements, scan and boundary scan, test 
point insertion [24] and many others. Most of the above practices have been 
standardized. 

The analogous solution would be to elaborate a set of rules for design for 
verification. As of now, however, no such standards exist in spite of the 
concerted efforts [16]. Were design process coordinated with verification, 
many changes aimed to ease the verification could be incorporated in the 
design flow. For example, typical modifications that prove to be very helpful 
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include inserting additional registers to control, observe and debug internal 
signals. Another commonly used approach partitions a design by placing 
multiplexers around each block to isolate it from the rest of a circuit during 
verification. Finally, employing as many IP cores as possible further 
simplifies design and verification process. 

2.1 Verification Approaches 

Due to the abundance of classes of errors, diverse approaches are used to 
verify their presence/absence. Simulations are still the most common way of 
design validation; however, with the growing circuit complexity, in many 
cases simulations alone might not able to stand up to the task. Formal 
methods for design verification are gaining popularity, and are often 
recognized as the verification, leaving simulations as a method of validation. 
However, in our terminology we do not distinguish among simulations, 
semi-formal and formal methods, and refer to all of them as verification. 

2.2 Verification by Simulations 

Simulation of a circuit under a suitable input stimulus, often referred to 
as test vectors or testbenches, is the oldest and still the most extensively used 
in practice verification method [17], [18]. Simulations are applied to verify 
circuits at various stages of a design process. 

This approach is related to another important topic in circuit design, that 
of testing for manufacturing faults. We argue that common to the use of 
simulations in testing and verification are: error models, test vector 
generation and, sometimes, response compaction. 

2.3 Test Vector Generation 

Modem ICs can have thousands of I/O pins. Large numbers of inputs are 
certainly desirable for accessibility of different circuit elements. However, in 
terms of vector-based simulations, testing and verification, even a moderate 
number of inputs pose a chaDenge. For example, in order to simulate 
exhaustively a simple 32-bit adder, a prohibitive number of 2^ patterns need 
to be generated. For that reason, subjecting a typical digital circuit to an 
exhaustive stimulus during verification is practically impossible. 

There are no standard procedures to generate verification vectors - most 
techniques are borrowed from manufacturing testing. Test generation 
methods can be classified into two categories: random or deterministic. 
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Random testing plays a dominant role, and is at the origin of most of the 
simulation-based verification methods. 

It is impossible to devise an ideal random number generator by 
deterministic means; hence all the random techniques are in fact 
pseudorandom. This means that vectors are obtained using deterministic 
algorithms, where sequences of tests can be always reconstructed, while 
appearing to be “random". Often, stimuli with the uniform distribution 
having equal probability of appearance of Os and Is are sufficient to provide 
high fault coverage. Sometimes it is needed to bias test vectors, such that 
the probabihty of, for example, Is is larger than that of Os. Such techniques 
are referred to as biased pseudorandom [114] and are widely used in 
commercial tools as well as within the open-source SystemC initiative [93]. 

Another alternative to pseudo-random tests, which recently draw lots of 
attention are pseudo-exhaustive methods. As it is infeasible to obtain 
pseudo-exhaustive patterns for large number of inputs, A-input spaces are 
partitioned into much smaller n-bit subspaces, n « k. This approach rests on 
the observation that a l:-input circuit under test is often controllable by no 
more than n inputs. Hence, test application time is reduced to 2" steps. The 
generation of i-bit test vectors that exhaustively exercise all n-bit patterns 
has been examined in detail [4], [70], and practical solutions are generally 
based on linear feedback shift registers (LFSRs) [87], [124] or cellular 
automata [41]. 

Random techniques do not use extensively information regarding circuit 
structure to minimize the test set. The benefit of pseudorandom methods is 
definitely the simplicity of test pattern generation. The drawback is the size 
of the test set, which can be quite substantial, even for the random testable 
circuits. 

Deterministic methods like Automated Test Pattern Generation (ATPG) 
address the issue of large vector sets. Here, tests are devised to target a 
particular fault. Traditionally, these methods were based on the D-algorithm 
[110], and are substantially more involved than random methods. They are 
essential when the fault list includes redundant faults, i.e., faults that do not 
introduce erroneous behavior and cannot be detected by any test patterns. 
Note that when an injected fault is redundant, lots of random test vector 
simulations could be wasted. Only when subjected to exhaustive testing, 
redundant faults are irrelevant. Otherwise, if we use only random patterns, 
then we are not able to state with certainty whether undetected faults were 
redundant, or test patterns were not able to detect them. In such cases, 
deterministic methods are needed to find redundant faults. 

Although deterministic methods were traditionally used in manufacturing 
testing, recently Al-Assad and Hayes [8] applied them for detecting gate and 
wire replacement errors based on the modifications of ATPG. In this work. 
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we present our alternative approach to redundant fault identification 
employing satisfiability (SAT), Chapter 7. 

2.4 Design Error Models 

Vector generation techniques require some means for assessment of the 
quality of test stimuli. Such evaluation is achieved through a fault model. 
Due to many possible sources of failures, there can be many fault models. 
The best-known models used in manufacturing testing include stuck-at-value 
(s-a-v), bridging and delay faults, [4], [24], Classical test methods exist for 
their detection and diagnosis. 

As most manufacturing faults remain the same regardless of the design 
process, it is possible to uniquely classify them. The situation is quite 
different in circuit verification. There are many possibilities for potential 
errors at each stage of a design flow, and modeling faults is closely related to 
modeling of a circuit. A fault happening at one stage of a design flow has 
often little in common with a fault at the other stage. Therefore, errors are 
approached depending on a level of abstraction. 

At behavioral level, most common are conceptual errors coming from 
the misinterpretation of a specification. The range of these errors is virtually 
endless - from an error where a subtraction is used instead of an addition, to 
an incorrect control flow of datapath operations. Due to such a broad nature 
of possible functional errors, a unified error classification is not possible. 

The other wide class of design errors at behavioral level embraces coding 
faults - they are generally classified as software errors. For example, a faulty 
assertion or a branch belongs to this category. Therefore, software-testing 
methods are often used for such coding fault verification. One of widely 
employed practices is referred to as “Tinting”, named after an early UNIX/C 
tool for finding obvious mistakes in C code, such as type mismatches etc. 
Other methods incorporate software test metrics [69], such as statement 
coverage and branch coverage. Also used is toggle coverage metric [125], 
Mutation testing [130] is yet another software testing method, which 
recently found a new and interesting application to hardware verification. In 
mutation testing, various faults (mutants to the original code) are implanted 
to the code, followed by the simulations that check whether the test set 
discovers the fault. 

Simulations are very popular execution engines in such verification 
schemes. Vectors at this stage are often selected manually to excite all the 
blocks of interest. Alternatively, it is common to check whether some 
conditions are ever executed (liveness), or whether once entered, an 
execution of some loop is terminated at some point (deadlock). Other 
examples include inquiries about the correctness of execution flow. These 
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are only most commonly considered assertions - the real problem is how to 
determine which assertions to prove. In retrospective, assertions can be 
viewed as a specific error model for the simulation-based verification. In 
reality, it might be easier to prove assertions using formal methods, than to 
come up with the suitable test sequence. 

In the next stage of design flow, circuits are represented structurally. 
Common error types encountered at this level are module substitutions. For 
example, a subtraction module is erroneously replaced by an adder. 
Similarly to conceptual errors of a behavioral design, there are many 
possibilities for potential substitution errors. Therefore, their explicit 
modeling is impractical. Instead, in this book we consider an implicit 
representation of these errors in terms of Arithmetic Transform (AT), 
Chapter 4. 

The other type of errors common to structural design descriptions is that 
of wire replacements. These errors emerge as a result of wrong connections 
among blocks and IP cores. Similarly to module substitution errors, wire 
replacements constitute a very broad class of design errors, hence, their 
explicit modeling even in the case of a moderately sized circuits is too 
involved. Analogously to gate replacement errors, we propose a new way of 
an implicit modeling in terms of their AT spectrum. 

The next level of circuit abstraction is a synthesized netlist, which 
resembles a previously considered structural register-transfer level of a 
design, with the only difference - blocks of complex functionality are now 
replaced with simple gates. Therefore, module substitution errors considered 
so far are refined to gate replacement faults. Wire replacement faults are the 
other predominant fault at this level of a design abstraction. Both of these 
errors are introduced to a circuit either by automated synthesis tools or 
human interaction. Particularly, post synthesis errors caused by insertion of 
DFT features are major source of potential interconnect faults. Netlist 
modifications to improve speed, area, power or other circuit parameters can 
lead to gate and wire replacement errors. 

Classes of gate and wire replacement errors are still very broad. 
However, unlike manufacturing testing, there are no standards for 
classifying them further. In-depth research on classification of these errors as 
well as methods for their detection has been conducted, among others, by 
Abadir and Hayes [2], [3], [25] and researchers in formal verification [131]. 

In this book, we adopt these error classes. However, a number of all 
possible gate and wire replacements is generally much larger than the 
number of manufacturing faults, which is creating a real problem for 
simulations. Currently, manufacturing fault simulation is hard enough to 
carry out due to the already large error sets. Hence, a compact test set, which 
targets many classes of design errors, is desirable. In this book we propose 
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an efficient way of representing the gate level design errors in an implicit 
way using Arithmetic Transform (AT). We then introduce a test generation 
scheme based on AT, which is particularly efficient for detecting such 
errors, Chapter 4. 

Finally, errors committed at the last stage of a design flow, i.e., 
verification of circuit layouts were the first ones to be solved in practice, and 
are not dealt with in this book. 

2.5 Other Simulation Methods 

The design verification is performed at various levels of abstractions, and 
concerns different stages of the design cycle. Characteristics of designs at 
each level of abstraction require specific approaches to verification even 
within the same class of methods. Therefore, simulation-based schemes, 
which are the most dominant and scalable, offer in practice a variety of 
solutions. 

2.5.1 Coverage Verification 

It would be ideal to have a fault models representing all possible types of 
errors in a design. Then, simulations with a suitable test vectors could 
definitely confirm the lack of such errors, e.g., its correctness. However, the 
more abstract a description, the harder it is to find structural and 
methodological commonalities within other designs, and, consequently, 
representative fault models. Additionally, the possibilities for of errors are so 
vast that it is impossible to come up with the fault model covering all the 
potential failures in RTL level or above. Therefore, verification (especially 
formal) resorts to checking some particular features in a design. Correctness 
of these features does not often translate to the correctness of the overall 
design. Nevertheless, it seems that checking for only some particular design 
characteristics is all that can be done. 

Although there are many different general fault classes, one of the more 
interesting solutions is similar to software testing. In this approach, sufficient 
functionality should be exercised in order to affirm correctness for “typical 
functions”. More recently, this method has evolved to the coverage 
techniques, by which the statements in the source code are to be exercised as 
much as possible. The coverage metrics replace the fault model, to guarantee 
sufficient excitation of the lines of the source code, expressions, branches, 
paths or a suitable observability measure [52]. The examples of coverage 
metrics include: 

• Line coverage - percentage of visited statements 
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• Branch coverage - percentage of branches taken 

• Path coverage ■ percentage of taken execution paths 

• Expression coverage ■ coverage of expressions within statements 

• Toggle coverage ■ low-level metrics on bits that toggle 

However, these coverage metrics might not be that consequential for 
verification, as they do not necessarily directly relate to the goal of finding 
design errors. As correctly noted in [45], the objective of coverage 
verification is to “maximize the probability of stimulating and detecting 
bugs, at minimum cost (in time, labor, and computation).” Hence, coverage 
is a substitute for the real goal, that of finding the design errors. In the 
absence of a fault model for the design errors, indirect metrics of coverage 
are used. 

Another drawback of the traditional line coverage was illustrated in [52], 
where it was noted that in some cases the verification stimulus achieved 
100% coverage, however only 77% faults were observable. Yet another 
example achieved 90% line coverage with only 54% observability coverage. 

2.5.2 Other Metrics 

Industry often relies on metrics that are derived ad-hoc, from their 
traditional functional verification methods. Often, the main goal of such 
metrics is to decide when to stop simulation. This decision can rest on the 
statistics on the detection of the design errors, or the amount of time since 
the last detection, or even the total number of simulation cycles. Underlying 
assumption here is that there is a stable period after which the verification 
effort exhibits diminishing returns. Advanced statistical techniques [85] can 
be used in conjunction with simulations to estimate the tradeoffs between 
delaying the product and expected finding of design errors. This information 
is then used to decide when to stop with simulations. 

Since test set generation is costly, one would like to combine the effort in 
obtaining test vectors for manufacturing faults and implementation 
verification. Specifically, teams where design managers are responsible for 
both manufacturing testing and verification can find appealing the idea of 
test vector reuse between the two tasks. Some products, such as Field 
Programmable Gate Arrays (FPGAs) permit significant reuse of 
manufacturing tests in verification because of their regular structure and 
similarity between different generations of products. When a new FPGA 
circuit is designed, manufacturing fault test vectors from previous 
generations of FPGAs are known and are used as a starting point for both 
testing and verification of the new FPGA. Designers then undertake 




Introduction 



11 



simulations for simultaneous detection of design errors and validation 
vectors for manufacturing testing. At the end of the process, the new test 
stimuli and circuits are checked. 

FPGAs are very specific products; in general, if one can simulate the 
design using manufacturing test vectors and assert sufficient confidence in 
its correctness, great savings in project completion time can be achieved. In 
that case, the coverage of stuck-at and other manufacturing faults is used as 
coverage metric. With shrinking of manufacturing processes, the 
manufacturing faults are becoming increasingly diverse, to approach the 
replacement of a gate with any other gate [32]. Coverage for such faults will 
suffice for more and more design errors as well. 

2.6 Formal Verification 

Formal methods are yet another type of hardware verification. They have 
been borrowed from software verification methods developed some 30 years 
ago [62]. Tools for hardware verification, however, are no older than 10 
years. Formal methods are in fact historically the youngest in the whole 
verification spectrum, and a lot of effort is put into making them as a remedy 
to all the verification problems not solved by simulations. This is not the 
case yet, and at this point it becomes more and more clear that most of the 
circuits will never be fully verified that way. Systems in production are too 
large for formal methods, and with time their size will only grow. In 
consequence, a complete formalization of the implementation is intractable. 
Therefore, the requirement of complete system verification is replaced with 
the more realistic goal of reaching a certain level of confidence in design 
correctness. All taken into account, the current trend is to use formal 
methods in cooperation with simulations. Ideally, we would want to use 
these two approaches simultaneously, and employ formal methods when 
simulations break (and vice versa). However, due to incompatibility of 
circuit representations used in formal methods and simulations, this goal is 
not feasible for most available tools. In this work, we propose such a circuit 
and error representation that works well with both formal and simulation 
methods. 

Formal methods, although not restricted to, target verification of 
sequential systems and, in particular, finite state machines. A verification 
goal can be specified as follows. We are given two finite state machines Ft 
and F 2 that have the same number of inputs and outputs. The task of 
verification is to determine whether F{ has the same input/output behavior as 
Fi. 
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Formal methods belong to two major categories: model-based and proof- 
theoretical. Each of these categories uses special languages and strict 
mathematical rules to verify certain properties ofa given circuit. 

2.7 Model-based Formal Verification Methods 

Model-based methods are applied when a circuit description is given in a 
form of propositional temporal logic or as a complex controller with 
multiple finite state machines. They can be fully automated. 

The two most widely used model-based methods are equivalence 
checking and model checking. Equivalence checking verifies that a pre- and 
post-processed circuit implementation are equivalent. Figure 3. Post- 
processing of the netlist often includes activities like scan insertion, clock- 
tree synbook, and manual modifications to speed up the design, when the 
critical path delays are not met, as well as minimization for the area and 
power dissipation. Additionally, regardless of the confidence in synthesis 
tools, it is desirable to check the correctness of the synthesized netlist against 
its register-transfer level representation. All the above changes do not alter 
the original function, as verification is carried out either through equivalence 
checking or by regression testing. 




Synthesis 



OrigInsI 



Modihed 



RTL ornetiist 



RTL or netlist 



Modificadon 



Equivalence 

Checking 

Figure 3: Equivalence Checking Paths 



The advent of Binary Decision Diagrams (BDDs), which are used as data 
structures for circuit representation, revolutionized this type of formal 
methods. Models and circuits are often represented using canonical decision 
diagrams such as ordered binary decision diagrams (OBDDs) and their 
modifications. The equivalence of circuit specification and its 
implementation is verified by comparing their respective OBDDs. BDDs and 
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their more modem versions allow for the efficient description of common 
datapath circuits as well as finite state machines with more than 2"* states 
[ 77 ]. 

The obvious problems arising from the application of decision diagrams 
to verification are the state explosion and the incompatibility of decision 
diagram representations with the circuit forms used in simulation-based 
verification. The first shortcoming is still not fully resolved - each new 
generation of decision diagrams is of exponential size for some classes of 
designs. The second issue is very critical if we want to have a unified 
verification method, which uses interchangeably simulation-based and 
formal techniques. In this work we propose a new circuit representation 
based on Arithmetic Transform (AT) and its modifications, which can be 
efficiently used in equivalence checking. Using AT in formal verification 
has the advantage of providing a unified circuit representation, which can be 
used interchangeably in both formal and simulation-based verifications. 

Model checking is a more recent verification method used to determine 
whether the circuit implementation complies with its specification in the 
case when the latter is expressed by a temporal logic formula (predominantly 
in CTL). Most commonly checked system properties are: invariance, 
liveness and fairness. As only a subset of aU assertions (properties) is 
feasible to show, the biggest challenge of this method is to determine which 
properties to prove. 

Complete Verification Space 

I 

f 



# Slmulatton‘bas»d V»rif)eatlon 
O Mod«l Cf>«c* 



Figure ^-.Distribution of Cases Verified by Simulations and Model Checking 

The model checking approach is useful in verifying subtle circuit 
properties. It has not been yet fully incorporated into standard verification 
methodologies, and usually runs in parallel with functional simulations. In 
such a scenario, simple cases are verified using test vectors, and only when 





14 



Introduction 



complex parts are hard to verify with simulations, model check method is 
applied. Figure 4 illustrates the breakdown of the design space verified with 
simulations and model checking. 

2.8 Proof-theoretical Formal Verification Methods 

Theorem proving methods like HOL88 [58], ISABELLE [96], 
LAMBDA [5], Nuprl [37], PVS [95], VERITAS [61], etc., are often 
complementary to model-based approach. They are applied, in particular, 
when abstract data types and circuit representation are out of reach for 
model-based methods. Also, verification of larger circuits not necessarily 
translates into more difficult proofs. Verification is carried out on a basis of 
rigorous proofs. Mathematical formulations of circuit properties, as well as 
the overall process of proving them, are a lengthy and complicated task. At 
the present time, there is no fully automated way of preparing mathematic 
formulations, as well as solving them. Human interaction is needed, and 
obviously, any such interventions are costly, and can introduce new errors to 
the system. In fact, theorem proving is conceptually the hardest type of 
formal verification and therefore still the least used in the industry. 

2.9 Spectral Methods in Verification 

There is yet another way to approach verification, either formal or 
simulation-based. Circuits can be analyzed in spectral domains, resembling 
the use of Fourier Transform elsewhere. It is known that spectral 
representations can provide lots of pertinent information about various 
properties of Boolean functions [66], such as detection of symmetries, 
function decompositions, as well as many testability properties. 

In verification, first use of related methods has been in equivalence 
checking. Instead of using BDDs, prohahilistic verification can be achieved 
by representing a function through an integer-valued signature polynomial 
[6], [68]. By comparing a value that the polynomial takes on sufficient 
number of inputs, the probability of detecting equivalence can be made 
arbitrarily close to one. This method has been generalized to multiple-valued 
logic functions [44] by constructing a suitable transform and placing this 
approach in the context of spectral methods. Further, the body of work on 
word-level decision diagrams that have been shown very useful in 
verification, is essentially dealing with spectral information, more precisely 
Arithmetic Transform. 

In testing, spectral methods have been used in a variety of scenarios. 
Among the classical results, we point to the use of Reed-Muller transform in 
testing for stuck-at faults [42]. 
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While the spectral methods provide a rich set of analysis techniques, their 
main limitation is that in inability to construct spectral representations of 
large functions. In this work, we propose techniques that utilize properties of 
spectral methods, while avoiding the representation blowup problem. 



3. BOOK OBJECTIVES 

In this chapter we discussed some of the common approaches to 
verification of digital circuits, together with difficulties faced by these 
methods. The goal of this book is to alleviate some of the shortcomings of 
the existing verification techniques. Primarily, our interests are in verifying 
circuits at the gate level using simulation methods. Although simulations are 
still the most commonly used form of circuit verification, they are not free 
from insufficiencies. The biggest deficiency of verifications by fault 
simulations comes from the fact that the verification is only as good as the 
fault model used. Similar can be said, however, about formal methods, 
which often instead of fully verifying a circuit, check whether certain 
properties of a specification are sustained in its implementation. 

In the first part of this book. Chapter 4, we target the main problems of 
verification by simulations, i.e., inadequate fault models, and too large 
vector sets. The deficiency of the current fault models comes from the 
impractical sizes of the error lists. To alleviate this problem, we introduce 
the implicit error modeling based on Arithmetic Transform (AT) [102]. Each 
implicit error can potentially represent many explicit gate and wire 
replacements in a netlist. Similar situation is true for other functional error 
types. Therefore, a detection of an implicit error can often signify more than 
a single explicit fault. This property is particularly beneficial at early stages 
of a design flow, when circuits contain many faults. Figure 5, borrowed from 
[118] shows a typical fault distribution graph. 

The already large sets of gate and wire replacement errors are even 
further superficially enlarged by redundant errors. Therefore, the 
identification of such errors, and their removal form the fault list is critical to 
efficient simulation-based verification schemes. In Chapter 5, we present the 
new scheme for identifying redundant gate and wire replacement errors 
based on the approximate determination of don’t care sets. Our method in 
some cases reduces to redundant single stuck-at-value fault identifications. 
When all the fast approximations fail to recognize all redundant faults, we 
propose an exact method for their identification based on SAT [100], [101]. 
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Figure 5: Fault Distribution over Time 

Next, we address the problem of large vector sets by presenting the test 
generation scheme, which is guaranteed to be of a minimal size for the 
implicit AT error models. Our complete simulation-based verification 
method summarized in Figure 6 takes advantage of properties of AT [103], 
[106], 




Figure 6: Verification Flow in Our Simulation-based Method 
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In addition to superior performance, the distinctive aspect of the 
proposed simulation-based verification is the use of AT in implicit error 
modeling and test pattern generation. Further, the AT based framework for 
circuit representation can be applied to equivalence checking of the 
correctness of a design implementation versus its specification. The benefit 
of AT-based formal verification is in the ease of describing individual sub- 
blocks, and then incorporating them into a complete circuit [102], We can 
hence use AT and its extensions to represent complex sequential circuits in 
equivalence checking verification. This gives us two verification methods - 
one simulation-based and one formal, which are unified by the same 
mathematical description used in error and circuit modeling. The framework 
of the proposed representation is again Arithmetic Transform with necessary 
extensions to accommodate complex sequential circuits, [102], [104], The 
proposed AT-based method for formally describing circuit specifications is 
extremely compact, fast and simple. In contrast, methods such as theorem 
proving take a long time and require quite an involvement from engineers. 
Additionally, building a circuit representation by composition reduces the 
cost due to the engineering changes or use of Intellectual Property (IP) cores. 
FinaUy, our simulation-based/formal verification method based on 
Arithmetic Transform achieves a high degree of automation, and can be 
incorporated either totally or partially into verification tools [103]. 




Chapter 2 

BOOLEAN FUNCTION REPRESENTATIONS 



In this chapter we review the function representations that will be used 
throughout the book. We begin by introducing the classical function forms 
such as truth tables and Boolean equations. Then, through Shannon expansions 
we present decision diagrams, including word-level decision diagrams 
(WLDDs). We conclude the chapter with spectral methods, which play a 
fundamental role in «ir verification method. Among others, we introduce 
Arithmetic Transform, which forms the basis for error representation and test 
vector generation in our verification scheme. 



1. BACKGROUND - FUNCTION 
REPRESENTATIONS 

The basic data on which digital circuits operate are two voltage levels: 
low (Fi) and high (Vh). A signal is considered to be F/, if it is below the 
threshold voltage and as Vh if its value is above Vw- An abstract 
representations of the two operational voltage levels are “0” for Vl and “T” 
for Vh. 

Mathematical apparatus for dealing with two-valued functions is called 
Boolean algebra, defined as a set B = {0,1}, together with two operations: 
addition (-I-) and multiplication (*). Neutral elements for these two 
operations are respectively 0 and 1 . For each o f B there is a complement a , 
such that a + a = \ and a*a = 0. Furthermore, both operations are 
as.socialive. commutative, as well as distributive with respect to each other. 
These properties are similar, but not always identical to the ordinary algebra 
properties. For example, distributivity of Boolean algebra provides that a*h 
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+ c = a*c + b*c. unlike ordinary algebra, in which distributivity does not 
apply to multiplication with respect to addition. 

A completely specified Boolean function is a mapping between Boolean 
spaces. The multidimensional space of n binary-valued Boolean variables is 
represented by B". Hence, an «-input and m-output Boolean function is a 
mapping f. B" -y B'". Of interest to us are also incompletely specified 
functions, which are defined only on a subset of B". All points of B" where 
the function is not defined are referred to as don 7 cares. We are interested in 
yet another extension, that of pseudo-Booleanfunctions, /: B" -yW, by which 
multiple Boolean inputs are mapped to a set of word-level quantities W, such 
as integers. 

Digital circuits are hardware realizations of Boolean functions. Hence, 
the techniques for designing, testing and verifying circuits must operate with 
Boolean functions. Since this books deals primarily with hardware 
verification and testing, we first review relevant facts regarding Boolean 
function representations. 

Functions can be represented by various means, including truth tables 
and several forms of Boolean equations. Of practical interest are the graph- 
based representations, referred to collectively as decision diagrams. In this 
book we additionally investigate spectral representations, which employ 
various spectral domains [66], [126] to represent and reason about the 
functions. 

1.1 Truth Tables 

A truth table of Boolean function / holds a complete set of function 
outputs, corresponding to all input value combinations. In general, when we 
consider an n-input and m-output incompletely specified function fi the truth 
table of /can be viewed as a mapping from B"into {0,1,«/}"', where d denotes 
the don’t care conditions. 

Throughout this chapter we will demonstrate various function 
representations on an example of a two bit unsigned multiplier. 

Example 1: The truth table of the 2-hit unsigned multiplier with inputs x - 
XiVo and y =>’!>’(), and output p =p-<p- 2 PiP(i ix presented below. 

•ti xi,y,ynp,p2ptf),> 

00000000 
000 10000 
00100000 
00 1 10000 
0 1000000 
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0 I 0 1 000 I 
01100010 
01110011 
10000000 
10010010 
10100100 

1 0 I 1 0 1 1 0 
11000000 
11010011 
I 1 1 00 1 1 0 
11111001 

Table 1: Truth Table for the Two-bit Unsigned Multiplier 

There are certain advantages and disadvantages of the truth table 
representation ofbinary functions. One of the unquestionable benefits is the 
ease of deriving a function value from a given input combination, which 
becomes particularly helpful when this description is used by synthesis tools. 
Additionally, as truth tables are canonical, i.e., represent functions uniquely, 
they enable simple comparison or equivalence tests of two Boolean 
functions. 

On the other hand, due to their size, the practicality of such a 
representation is questionable for functions of even a modest number of 
inputs. Truth table for an n-input function consists of 2" rows, hence the size 
and time complexity of operating on such representations are always 
exponential in the number of primary inputs. The same argument holds for 
incompletely specified functions. Consequently, binary function 
representation in terms of truth tables is generally impractical for our 
purposes. 

1.2 Boolean Equations - Sum of Products 

A glimpse at a truth table reveals quite a significant redundancy in 
function description. Present are both ON- and OFF- sets of a function, i.e., 
sets for which the function is 1 and 0, respectively. It is however sufficient to 
consider only variable assignments for which a given function is ON. 

To take the full advantage of this observation, Boolean functions need to 
be represented in the following sum-of-products form. For an rt-variable 
function, the minterm is a product (monomial) of n literals, where each 
literal stands for a variable or its complement. The sum of all minterms over 
the ON-set then forms a complete and canonical representation that might be 
significantly more concise than the truth table. Such a representation is 
referred to as a two-level minterm canonical form. 




22 



Chapter 2 



Example 2: The minterm canonical form representations of multiplier hits 
from Table I are given by thefollowing sum ofminterms: 



'pi 






P2 




XiXoyyfo + XfXoyyyo + x^Xcy^y^ 


P\ 




X]Xoy]yo + x^XQy^yo + Xi^oTiTo + + -^i-'^oTiPo + x^X(,y^yQ 


Pfi. 




X\Xoy{yo + XfXQy^yo+x^X(,y^yo+XfXQyiyQ 



A function representation by a sum of minterms is more compact than 
the truth table. However, there is still much redundant information. 
Simplification by laws of Boolean algebra leads to the more general sum-of- 
products (SOP) function representations. For example, the last two minterms 
for po can be simplified as x^xfy^yQ + x^Xf^^y(^=XyXQyQ. We notice that the 
resulting product term has the literal y^ removed. Such products of terms, 
which do not necessarily include all the variables, are referred to as cubes, or 
implicants. 

Minimization of logic functions is central to their design, test and 
verification, and as such has been the subject of numerous studies. In the 
case of SOP representation, the objective is to find the sum-of-product 
realization, or logic cover, of minimal size, i.e., given by a minimum number 
of cubes. Commonly used is the Quine-McCluskey minimization algorithm 
[89], based on a theorem by Quine. This theorem states that any minimum 
cover consist only of prime cubes. Prime cubes are defined as those that can 
have no literal taken out, and still be in the cover. 

The Quine-McCluskey algorithm first constructs prime cubes and then 
seeks the minimal cover among sets of prime cubes, which are also 
irredundant, i.e., no cube can be taken out of the cover while preserving the 
function. Many commercial CAD tools implement some form of a SOP 
minimization in their core algorithms for circuit minimizations. Due to the 
difficulty in constructing prime and irredundant covers for large functions, 
modem algorithms are based on heuristics that avoid generating all primes, 
and by that may miss the real minimum. 

Example 3: After minimizing the canonical minterm form of a multiplier 
from Example 2, one obtains the following minimal sum-of-product 
expression for the outputs of a 2-hit unsigned multiplier: 
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'p^ 






Pi 




+ x^y\yo 


p\ 




XfXoy, + XfXoyo + x^y^yo + x^yifio 


.Pq. 




Xoyo 



Example 4: Consider a function fix, y,z) represented by three minterms: 
xyz xyz ■‘r xyz and its minimized form yz + xy given by two cubes. Figure 
7 shows the relation between minterms andcubes (m,c) off. 




^xyz 







xy 2 



-xy 



yz- 



• m- x'y '2 * xy*! * xy'z 
c = y^*xy 



Figure 7: Relation Between Minterm and Cube Representations 



1.3 Satisfiability of Boolean Functions 

Solving any form of Boolean equation requires finding a vector of input 
stimuli, for which the equation is equal to 1, i.e., is satisfied. Among all such 
satisfiability problems, we are especially interested in the problem of 
satisfying the product-of-sums forms. 

Dual to minterms are clawses, where all the variables forming a clause 
are or-ed instead of being and-ed. Analogous to the case of sum-of-product 
forms, by employing clauses one obtains a product-of-sums (POS) 
representation that is often referred to as a conjunctive normal form (CNF). 

Example 5: Boolean equation: f{x,y,z) = xy + yz + xz expressed as a sum- 
of-products is satisfied by the following .set of input vectors: 
(.x.y,z)={(l,l,0),(l,l,l),(0,l,0),(0, 1,1), (1,0,1)). 

Boolean equation: f\x,y,z)={x + y){y-yz){x+z) expressed in the CNF 
form is satisfied by the input vector set: (jr,y,z)={ (1,0,0), (1,1,0), (1,1,1)). 

Satisfiability of Boolean expressions seems to be a problem that is easy 
to solve and straightforward to comprehend. As shown in the example 
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above, it tries to answer the question: “Is it possible to satisfy a given 
Boolean expression by at least one input assignment?” However, in spite of 
this perception, it was the first problem ever declared to be NP-Complete 
[54], The class of NP-Complete problems is believed not to be solvable in 
polynomial time. S. Cook has presented the original problem classification 
in terms of the following theorem. 

Theorem 1: (Cook’s Theorem) SAT is NP-Complete. 

Interestingly, satisfying assignment of expressions with two-term 
clauses (2-SAT) can be found in polynomial time, while the same problem 
for three-term clauses (3-SAT) is already NP-Complete. Additionally, 
providing the answer in the form YES/NO is as hard as finding a satisfying 
assignment. 

Example 6: After converting Boolean equations from Example 3 into a 
product-of-sums form, we obtain the following set of clauses: 



p^ 1 






Pz 






P\ 

1 




{•«i + -^oX^i +>'o)(’»^i + +yo)(^i + ^0 + yi +yo) 


.Pq\ 




-^oyo 



The set of input assignments satisfying all of the above equations is empty. 
This fact is easy to verify by checking the multiplier truth table, Table 1, 
where no input (x\. xo, y\. >>o) assignment results in alt the output bits (p^, p^, 
p\. pf) being equal to one. 

1.3.1 Algorithms for Solving Satisfiability 

We now present a more detailed description of satisfiability solvers. The 
problem of finding a true assignment is fundamental to many methods in 
synthesis, testing and verification. For example, in Chapter 7 we will utilize 
satisfiability for determining a set of redundant gate and wire replacement 
faults. 

Satisfiability algorithms are most often applied to Boolean functions 
represented as a CNF, i.e., product-of-clauses (sums). Since the search for a 
satisfying variable assignment is proven to be NP-Complete, all known 
algorithms might fail to produce a result in polynomial time. 

The basic complete algorithm for solving SAT, known as the Davis- 
Putnam procedure has been in use since 1960 and is still relevant, in spite of 
many improvements to the scheme. The algorithm employs a backtrack 




2. Boolean Function Representations 



25 



search for the satisfying assignment of inputs. By repeatedly assigning one 
variable at time, the problem is reduced to two sub-problems until either no 
clauses are left, or the problem is not satisfiable. The order in which 
variables are assigned greatly influences the algorithm speed, prompting 
early heuristics to include the “pure literal rule” that gives priority to 
variables appearing only in one polarity. 

Davis and Putnam further introduced the resolution technique that can 
effectively eliminate the decision variables at the expense of an increased 
number of clauses. 

Example 7: Consider the following CNF expression: 



(^ +>’)(>' + +>’ + z)[x + w). 

To eliminate variable “y”, we create two sets of clauses Y and Y . The set Y 
(T) includes all clauses where "y" {"y") is present, with “y” (“y") 
deleted from the clause. In this case, the following is true: 

Y={x,w,z) and K = {(x-t-f)}. 

We then perform pairwise OR between the clauses in sets Y and Y , resulting 
in: 



(X + X+z)(z + 2 +X)(W + X + Z)(X + W) = (W + X -hzXx + w). 

After simplification, we obtain the reduced SAT instance (w + X ?)(x+ w) , 
Here, presence of a pure literal “w" in all clauses guarantees satisfiability 
with the assignment w=l. Hence, as this instance can he satisfied, the 
original instance is satisfiable as well. 

The resolution process is repeated for successive input variables until 
obtaining either satisfied clauses, including pure literals, or empty clauses. 
The latter indicates the unsatisfiable problem. Since each resolution step 
produces equivalent SAT instance with preserved satisfiability, and leads to 
a definite answer, the algorithm is said to be complete. The resolution 
provides, however, only an answer YES or NO, rather than a satisfying 
assignment of all input variables. 
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SAT 

repeat forever 

^ /* Compute implications and check conflicts BCP 7 
if (conflict) 
backtrack 

elself /' no implications and no variables to assign V 
return SAT/SF/ASLE: 
elseif f empty clauses*/ 
return UNSATISFIABLE] 

else 

Assign another unassigned variable, 

]) 

Algorithm 1: Davis-Putnam SAT Solver 

Davis-Putnam backtrack search algorithm performs an implicit traversal 
of 2" possible truth binary assignments to n variables of a considered SAT 
problem. A variable is regarded to be assigned when its truth value has been 
determined. Otherwise, it is unassigned. A problem is satisfied if it is 
possible for the backtracking algorithm to find satisfying assignments for all 
n variables. 

Algorithm 1 presents the pseudo-code of Davis-Putnam satisfiability 
solvers. The algorithm employs Boolean constraint propagation (BCP) for 
finding the new implications, i.e., logical consequences of a given 
assignment. Implications are computed by considering the unresolved 
clauses that have exactly one unassigned literal (unit clauses). Such unit 
clauses provide a unique value that the unassigned literal should be assigned 
to satisfy the clause. If the conflicting assignment is detected through BCP, 
then the backtracking is undertaken. Finally, if no constraints are left, the 
form is satisfiable. Otherwise, if all the possible assignments were attempted 
or an empty (contradictory) clause is detected, the answer is negative. 

Critical to modem SAT solvers is the ability of finding all the clauses that 
explain and prevent the repetition of the encountered conflicts. The most 
efficient implementations include also non-chronological backtracking that 
seeks the root cause of the given conflict, rather than simply undoing the 
most recent variable assignment [86). Following a conflict, the clause 
created for avoiding the conflict is used as a “pivot" to retry. 

Example 8: In clauses =(x-i- v)(y'-l-z-i- w)(J' + wlfiv + h + v) , during the 
search following the assumption z=v=0, the as.signment x=0 made. This 
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assignment results in the conflict: “y" should he equal to one because of the 
first clause and to zero because of the remaining clauses and the 
assumption. Hence, the assignment x=z=v=0 is unsatisfying. The following 
learned clause Kz : 

K 2 =(x+z + v) 

stating that either of the three variables is one is then added to the original 
set of clauses. In resolving the overall SAT instance: 
KiK 2 (x r)(r + y){s + t){q + p) , the alternative assignment x=l, with 
assumption z=v=.s=q=0, results again in a conflict. This information is 
introduced to the SAT procedure by adding a newly learned clause. 
Ky=(x + z + v). Resolution applied to Ki and Ks results in a clause fz+vj, 
which explains the cau.se of the two conflicts. The key in non-chronological 
backtracking is to change the variable that caused the conflict, in this ca.se 
"z” or “v”, and then proceed from there. The execution of this non- 
chronological .search for “v” variable is illustrated in Figure 8. 




msaii^ng 



Figure 8: Non-chronological Backtracking Example 

Newest trends in SAT solvers include the concept of “watched variables” 
by which the variables in recently learned clauses are favored in the 
selection of the decision variables [90], Further, it was demonstrated that the 
use of software engineering practices, including code profiling, are 
beneficial to speedup of the overall algorithm execution [90], 
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1.4 Shannon Expansion 

Shannon expansion provides means for deriving a Boolean function 
representation recursively, one variable at a time. 

Definition 1: The cofactor of a Boolean function fix^, Xj x,-, x„) with 

respect to variable Xi is f. = f(x^,X 2 ,—,\,—,x„).Similarly, the cofactor with 

respect to variable Xfis = /(X|,X2,...,0,...,X„). 

It is easy to prove that each Boolean function can be represented in terms 
of its cofactors by means of Shannon’s expansion. 



Theorem 2: Consider a Boolean function f: B“ —*B. The function "f" can he 
derived as: 



f{xt,xj,...,x, x„) = xrf, *(-*/ + /r.)-(JCi+4) V/ =l,2,...,n. 

One way of representing the Shannon’s expansion is by means of a 
multiplexor that selects between the two cofactors, depending on the value 
of a splitting variable X,. ■ 



f?i fx. 






Figure 9: Multiplexor Representation of Shannon Expansion in Variable X/ 

Note that the Shannon expansion of a Boolean function along all its 
variables leads to its minterm representation. 

1.5 Polynomial Representation 

Shannon expansion is just one of the possible representations of Boolean 
functions in terms of function cofactors. There also exist positive and 
negative Davio expansions that express a Boolean function by means of its 
cofactors and the XOR operation. 

Definition 2: The positive Davio expansion ofa Boolean functionfix\, Xj, ..., 
Xi, ...,x„)with respect to variable “Xi" is: 
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Similarly, (he negative Davio expansion is defined as: 

These two forms apply logic xor and and operations over two cofactors. 
As the xor operation is equal to the addition over the finite field GF2, and 
logical and corresponds to multiplication over the same field, both 
expansions can be seen as linear polynomials in a given variable. Davio 
expansions are useful for a wide class of polynomial and decision diagram 
function representations. 

Example 9: The positive Davio expansion of the MUX(a,h,sel) operation 
along the variable “sel" is a® set -{a® b). When set=0, then the function 
value is equal to "a ”, otherwise it is equal to "h ”. 

By employing positive Davio expansion along all variables, we obtain 
another canonical representation of Boolean functions, which is most 
commonly referred to as Reed-Muller (RM) expansion, or RM transform 
[92], [109], [140], [140], If the expansion applied to all variables is positive 
Davio, then the obtained polynomial is a positive polarity RM form. Various 
combinations of positive and negative Davio expansions result in mixed 
polarity RM forms. 

Example 10: A positive polarity RM expansion of the function MUX(a,h,.set) 
is obtained by repeated application of the positive Davio expansion. For the 
multiplexor function from Example 9, (he resulting RM form is 
a® a -sel® b-sel. When (he expansion along the variable ".sel" is the 
negative Davio expansion, the resulting mixed polarity RM form is 
a®a-seT®b' sel'. 

Various applications of RM polynomials and codes are present in several 
areas. As a characteristic example, RM Transform and the associated 
functional decision diagram (FDD) graph representation were used in 
technology mapping by symmetry detection [128]. Many applications, 
mainly in error-correcting codes, were derived from this basic concept 
introduced originally by Reed and Muller. 
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2. DECISION DIAGRAMS 

Decision diagrams are function representations that employ an evaluation 
process [77], Here, instead of computing the response of the function/ to the 
input stimuli, we are more interested in evaluating a given function based on 
a set of binary-valued decisions. However, as the number of cases to check 
for any binary function is exponential in the number of function inputs, the 
selection of data representation is of crucial importance. Binary decision 
diagrams prove to be desirable for binary function evaluation. 

Binary decision diagrams are based on the Shannon expansion described 
in Section 1.4. In general, bit-level decision diagrams are constructed based 
on one of the three Boolean function decompositions: 

Shannon: f = Xj-fj ©x, •/, , 
positive Davio: / = _^ © x - (/ © ) 

negative Davio: / = /^^ © (/_ © /^. ) 

A binary decision diagram (BDDs) [22] of an n-input function / is a 
compressed representation of a binary decision tree (BDT). 

Definition 3: A binary decision tree representing an n-input function is 
a tree, G(V,E), where "V” is a set ofvertices and is a set of edges. 
Edges are ordered pairs of vertices. Each vertex, labeled by an input 
function variable it represents, has exactly two outgoing edges pointing to 
the two expansion cofactors with respect to the variable. Leafs of the tree 
are constants 0 or 1. 

Example il: Consider the minimized Boolean equation from Example 3 
de.scrihing function px (pi =x,XoJ'o +-*|^0>'0 + ^iyi>'o + ^ 

representation of this function for the input variable order {_V|, ^o. X\, Xo] *-v 
as follows. 
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Figure 10: BDT for Output p[ of 2-bit Multiplier and Variable Order {vi, 

X]. -To} 

There are two major problems with BDTs - the size and the non- 
canonicity. Usually, but not necessarily, each input variable is traversed only 
once in the decision tree. The size of a BDT is, in general, still exponential 
in the number of inputs; however, it often varies significantly for different 
orders of variables. Due to the exponential size and its non-canonical nature, 
BDTs are not suitable for representing even simple arithmetic circuits like 
adders and multipliers. Decision diagrams address these issues. 

2.1 Reduced Ordered Binary Decision Diagrams 

Binary Decision Diagrams have been created to reduce the size of BDTs. 
The ordered BDDs (OBDDs) are defined as follows. 

Definition 4: Let n he a total order of the set of input variables X], X 2 , ■ ■ X„. 
An ordered binary decision diagram (OBDD) with respect of the variable 
order n is a directed acyclic graph having exactly one root, and satisfying 
the following properties: 

1. There are exactly two nodes (sinks) without outgoing edges labeled 0 
and 1. 

2. Each non-sink node is labeled by a variable “X\ ” and has two outgoing 
edges 0 and 1 . 

3. The order of appearance of variables in each of the paths in the 
decision diagram corresponds to the assumed variable order k. This 
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means that if there is an edge from a node labeled "x, " to another node 
"xj", ihenXi < ^Xj. 

OBDDs are still non-canonical, i.e., for the same variable order Jt many 
different OBDDs can be created. Only if special reduction rules are applied 
to OBDDs we can say that the resulting decision diagram is in a canonical 
form. A significant effort in building decision diagrams is directed towards 
finding such an order of variables in a diagram that would result in the 
minimal decision diagram. 

Definition 5: A Reduced Order Binary Decision Diagram (ROBDD) 
representing an n-input binary Junction “f’ is a directed acyclic graph 
G(V,E). Each node v e K /s' either a non-terminal node or a leaf (0 or 1). A 
non-terminal node has an attribute: li)d6X(v) e {1, 2, ..., n), which is a 
pointer to the input variable jce {X|, xj, ..., x„} represented by this node. Also 
associated with a given non-terminal node “v ” are two children: left: V—* y 
and right: F — A leaf vertex “v" has assigned an attribute V3lue{v)e B. The 
graph is ordered, i.e., for any non-leaf vertex pair {v, left{v)l and {v, 
right(v)J, lndex(v) < lndex(left(v)) and lndex(v) < lndex(right(v)). Edges ee E 
are given by all pairs (v, leftlvjj and (v, right(v)). 

All variables in a ROBDD graph are labeled only with an index value 
(Index(v)) instead of a respective decision variable. Therefore, in order to 
keep track of mapped input variables, a newfunction, var: {1, 2, ..., n}— »F 
is introduced. For example, if function / has inputs: (xi, X 2 , ..., x„), then 
function var applied to an input x„ / = 1, ..., n, results in var(/) = x,. Note that 
this is one of the possible mappings, where the index i denotes the input 
variablex/. Other mappings are also feasible. 

Definition 6: Each ROBDD with root ve V recursively defines a Boolean 
function 



/(V) 



1, if V is a leaf I 
0, // V is a leaf 0 

^y&x(lndex(v)) * f(lefl(v)) + var(/nc/cx(v)) * / (right{v)),otherwise. 



Since ROBDDs are canonical and reduced, they have been widely used as 
a preferred method of Boolean function representations in applications such 
as formal verification. 
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2.2 Word-Level Decision Diagrams 

Word-Level Decision Diagrams (WLDDs) were introduced to overcome 
the limitations of BDDs, in particular for arithmetic circuits. For example, 
describing a large multiplier for the purpose of verification is impossible 
with BDDs, as the size of the corresponding BDDs grows exponentially with 
the number of inputs. However, it turns out that a decision diagram of a 
multiplier can become compact when the outputs are viewed as words, i.e., 
integers. 

Many practical circuits have regular and simple structure when 
considered at a sufficiently high level of abstraction. High-level circuit 
descriptions allow the use ofbuses and datapath elements such as adders and 
multipliers. In such cases, multiple Boolean variables are grouped to form a 
single word-level quantity. As BDDs cannot take the advantage of such 
groupings, the WLDDs have been used instead. Recent formal verification 
methods employ WLDDs as a preferable circuit representation [10], [13], 
[35], We illustrate the need for word-level descriptions by the following 
example. 

Example 12: Consider a calculation of a binomial coefficient according to 
the following specification: 

k] k\ 

A.v seen from the definition, it takes 2k-2 integer multiplications and one 
division to describe this computation at word level. The representation at a 
hit level is not feasible, as multipliers alone require exponential size BDDs. 

To deal with word-level quantities, WLDDs are built as graph-based 
representations similar to BDDs; however, they allow describing functions 
with Boolean domain and an integer co-domain. Examples of WLDDs 
include EVBDDs [81], ADDs [11], MTBDDs [34], *BMDs [23], HDDs 
[35], and K*BMDs [46], WLDDs are widely used for circuit modeling in 
verification tools based on symbolic model checking [10], [36], 

2.2.1 Binary Moment Diagrams 

Binary Moment Diagrams (BMDs) belong to the class of WLDDs. They 
overcome many difficulties in representing arithmetic functions by lifting 
the assumption that function outputs are binary. If we relax this condition, 
and allow a function to accept binary inputs and produce world-level 
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(integer) outputs, the resulting decision diagram representations often have 
surprisingly compact forms. In particular, arithmetic functions can be simply 
represented that way. 

A binary input, word- level output function/ B" -> W can be described 
by the following modified Shannon expansion of/ around input variable xi. 



By applying the basic Boolean rules to the above equation, we obtain: 

/=x,./ +(i-x,)-4-4+x,-(4-4) (1) 

where “-h", and denote standard arithmetic operations over word-level 
(integer) values. Thedifference /^, between the cofactors; 

Al , “ Jx, Js, 



is a linear moment of / with respect to x,. We can also view it as a partial 
derivative of/ with respect to x,. Note that Equation (1) reduces to a positive 
Davio expansion of function / when GF(2) arithmetic is used. The 
decomposition proposed by Equation (1) is the underlying function 
representation forbinary moment diagrams (BMDs), defined as follows. 

Definition 7: A binary moment diagram (BMD) is an ordered decision 
diagram representing a function f: B” — > W. Each internal BMD node “v” 
with label “Xj” represents the moment decomposition of “f\ The function 
given by each internal node of a BMD is computed according to the moment 
decomposition of"f’’:fy = +X,J\. Then, fu and / are 0- and l-successors 

of“v”, respectively. 

A generalization of the BMD is the multiplicative BMD (*BMDs). The 
construction rules applied to obtain *BMDs are the same as those with 
BMDs, however integer weights are allowed on the edges. Thanks to the 
application of weights to graph edges, most of the arithmetic operations 
including multiplication can be represented by *BMDs linear in size. 



Example 13: The *BMD of a two-hit multiplier can he obtained by 
considering the expression {x(,-^2x\)*lya+2yi), which is the defining equation 
of multiplication in terms of binary inputs. The resulting graph 
representation is given in Figure II. 
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(yiyo)*(xiXo) 




Figure II: *BMD of a 2-bit Multiplier 
2.2.2 Limitations of WLDDs 

The WLDDs can be considered as the first working attempt to specify 
circuits given in terms of high level hardware description languages (HDLs) 
like VHDL and Verilog, as well as their synthesized gate level 
representation. Although WLDDs in general perform much better in 
describing arithmetic circuits, they are still troubled by the same 
fundamental problem as HDDs. For example, variable ordering critically 
influences the diagram size, and this problem is intractable. 

Furthermore, composing a representation of complex datapaths exposes 
additional disadvantages of WLDDs. Straightforward composition of even 
two arithmetic circuit WLDDs is impossible due to the input/output type 
compatibility [102], The following example illustrates the difficulties in 
constructing WLDDs from HDL descriptions. 

Example 14: Consider again the binomial coefficient generation, whose 
specification requires 0(2k) multiplications operations. This time, we chose 
the multiplication-free realization based on the iteratively applied Pascal 
triangle property: 
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The high-level description is given by VHDL code in Algorithm 2. This 
implementation maintains an array of temporary results rc to store the 
coefficients and perform the Pascal triangle computation steps. A.« shown in 
Figure 12, an array of integers rc is being updated over time with Pascal 
triangle coefficients. At time instance "n ”, the 1^'' entry of array rc contains 
the sought binomial coefficient. To represent such a computation, the 
repre.sentation has to deal with .sequential circuits, unlike WLDDs, which 
are combinational circuit representations. 



entity pascaljriangle is 
generic( n: integer:= 10; 

k integer:= 5); 
port( binom: out integer); 
end pascaLtriangle; 

architecture behav of pascaljriangle is 
type array jnt is array (0 to k) of integer; 
signal rc; arrayjnt; 

begin 

process 

variabie /, / integen 
variable rp, rpjmp: arrayjnt; 
begin -- initialization of vectors rp andipjemp 
for / In 0 to tcioop 

rp(/):=1; 
rp_tmp(i) := 1; 
end loop; 

for i in 1 to n ioop -- calculation of all rows 
for / in 1 to k ioop -coef as sum of two lower order ones 
rpjmpd) := rp(j■^) -V rp(j); 
end ioop; 
rp:= rpjmp: 
end ioop; 
rc<= ip: 
end process; 
binom <= rc^k-^): 
end behay, 

Algorithm 2: Calculating Binomial Coefficients by Pascal Triangle 
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FirstlteraSon: rcO 

Second Iteraijon: rc1 



Figure 12: Execution of Pascal Triangle Computation 

When comparing WLDDs to BDDs, one can notice the problems with 
composing WLDD circuit specifications that do not exist with binary DDs. 
Hence, it is not always true that word-level decision diagrams are a better 
choice than the binary DDs. 

Example 15: Consider a realization of a complex multiplication, with the 
two outputs for real and imaginary part. Figure 13. For simplicity, we depict 
the case of two-hit unsigned encoding for real and imaginary parts of the 
input. The real part is obtained as: 

Pr = (yi>’o)r “(MJ'o)/ * (-*l^o)/- 

In Figure 13, part a) refers to the construction with WLDDs (in this case 
*BMDs), while part h) illustrates the use of BDDs. The first step of 
obtaining individual *BMDs repre.senting products of real and imaginary 
parts: ^tid{y^o)i*{x\Xo)i can he easily realized using *BMDs. 

However, the .straightforward composition of intermediate diagrams leading 
to the description of the final design: 

Pr =(3^|yo)r -(yi^o)/ 

is impossible. There, the outputs of intermediate *BMDs of multiplications 
are at word level, and hence cannot serve as inputs to another *BMD 
repre.senting the subtraction needed to obtain the final form of a real part of 
the product. 

On the other hand, while the intermediate products cannot he compactly 
represented using BDDs, their composition is straightforward through the 
application of the ITE algorithm [89}. 

Either way, the limitations of DDs point to the need for alternative 
representations and circuit manipulation methods. One possible solution 
might be by extending the definitions of word-level representations, as 
proposed in [102], 
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(yiy»^*(*i*^ tyiyj, *(*«*•)- (yiyA’(*i*A 




Figure 13: Limitations in Representing Complex Multiplication by *BMDs 
anclBDDs. a) Construction ofWLDDs. b) Construction ofBDDs 



3. SPECTRAL REPRESENTATIONS 

In representations derived from a truth table, each row holds local 
information about the behavior of a function / at only one point (related to 
the single combination of input variables). Based on that data nothing can be 
said about the value of / anywhere else. Only the mixture of information 
carried by all 2" rows of a truth table creates full description of a behavior of 
AX). 

Sometimes, however, it is advantageous to have at least partial 
information about the function / at all ofits 2" points. This can be achieved 
by representing f(X) in spectral domain, where each of 2" spectral 
coefficients contains partial information about function behavior for all 
inputs. Although all 2" points and spectral coefficients are still needed for a 
complete description of a function, spectral coefficients contain useful 
global information about the function. 

There are many applications where a function representation in spectral 
domain is more desirable [126]. Examples include a classification of 
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Boolean functions for Universal Logic Module construction, property 
detections (most notably symmetry), synthesis and testing [66], 

Transformations from Boolean into spectral domain can take several 
forms. Algebraic forms are predominantly used in communication 
applications as a basic way of switching between time- (function) and 
frequency- (spectral) domains. However, as mappings between Boolean and 
spectral domains are linear over a suitable space, a matrix representation 
always exists. Figure 14. 



Boolean 

function 

f(x) 

Boolean Domain 




Spectral function 
representation 

0(f(^)) 

Spectral Domain 



Figure 14: Transform Operation 

To calculate spectral coefficients using a transform matrix, a vector of all 
function values, y =f{x) is multiplied by the transform matrix T. Vector y 
can be determined, for example, from a truth table. Matrix T is characteristic 
to a given transformation, and its size is compatible with vectory. A vector 
S, which represents all spectral coefficients of a function / is then: S = Ty. 



3.1 Walsh'Hadamard Transform 



Most of the original applications of spectral analysis focus on the use of 
Walsh-Hadamard Transform (WHT) due to its many desirable properties. 
Examples include invariance to input permutations, negations, and linear 
(over GF2) operations that can be applied to the classification of logic 
functions and to the design of Universal Logic Modules. Furthermore, as 
Walsh-Hadamard Transform is an instance of the abstract Fourier 
Transform, many useful relations like Parseval’s equality, convolution 
characteristics, etc. are applicable to its spectrum. This transform, often 
referred to as Walsh Transform, has been used in numerous communication 
applications as well. Examples include code spreading in CDMA and 
OFDM wireless standards [108], 
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3.2 Walsh Transform Variations 



Walsh Transform represents Boolean functions {0, {0,1} as a linear 
combination of up to 2" «-variable basis functions. Since the transform is 
linear, a transform matrix can be used for its derivation. Interestingly, there 
is no apparent total order among basis functions, and different orderings 
result in various versions of the transform. For example, Hadamard ordering 
is related to Hadamard matrices [66], and its matrix of size 2” x 2" is given 
by the following recursive definition: 



T = 

‘n 






7-0 = 1 - 



( 2 ) 



Example 16: Hadamard matrices for n = 1 and n = 2 are: 

1111 

^ 1 - 11-1 
' [l-lj ^ 11-1-1 

1 - 1-1 1 



The resulting transform is referred to as Walsh-Hadamard Transform 
(WHT). The transform is symmetric, i.e., = and has an inverse 

1 T 

, where the factor 2'” is needed for orthonormality. Alternative 

orderings by Paley, Kaczmarz and Rademacher have the rows and columns 
of their transform matrices permuted. Matrices of Walsh-Paley and Walsh- 
Kaczmarz (generally referred to as Walsh) Transforms are symmetric, i.e., 

[7-J = r„, and have an inverse T},'' =-^[7},]^.On the contrary, 

Rademacher-Wash Transform matrix does not posses the symmetry 

property, i.e., 7}, and ■ Among possible variations, 

Walsh-Hadamard Transform comes with a recursively defined transform 
matrix. 



Example 17: For n = 4, Walsh-Hadamard (Hadamard), Walsh (Walsh- 
Kaczmarz), Walsh-Paley and Radamacher-Walsh matrices have the 
following forms: 
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Walsh-Hadamard Walsh-Kaczmarz 
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Rademacher-Walsh Walsh-Paley 

It is obvious that any of the transforms obtained by permuting rows of a 
transform matrix are equivalent, as using a different ordering only permutes 
the spectrum. Additional transforms can be generated by inverting the rows 
or columns [66] of the transform matrix. This property will come handy in 
Chapter 6. 

Function spectrum also depends on the encoding of the input binary 
values. In this book, we assume that input values are encoded by 0 and 1. 
However, in some other applications (e.g. in communications) the encoding 
by -1 and 1 is more appropriate. The spectrum of one encoding can be 
obtained by applying a linear transformation to the spectrum associated with 
the alternative input encoding [66]. 

3.3 Walsh'Hadamard Transform as Fourier Transform 

The extension of Fourier Transform to Boolean functions motivated the 
original work on spectral methods in logic synthesis. It is known that WHT 




42 



Chapter 2 



is indeed defined as a Fourier Transform over |0,l}". i.e., orthogonal 
transform with the Fourier kernel. 

For Boolean functions / and g: {0,1 }"-> {0,1 }, a scalar (or dot) product 
is defined as: 



The dot product naturally induces a norm as: 



Fourier Transform is defined as an expansion with respect to the basis 
functions that are orthonormal. For each pair of basis functions, the dot 
product is 0, unless the two functions are equal, in which case it is 1. Such 
orthonormal basis can be obtained for the multivariate binary input case in 

the following way. For the set of input variables Xo, x\ x„.\, each of their 

subset Sis associated with a basis function (Fourier kernel): 



X{,?| = exp 



7t 

leS ) 



[+1 if^leS is even 
1-1 f/'Z/eS isoM 



and Boolean functions are represented using basis functions as: 

M^(/) = j|;j^'{.9!X{,s'). 

Each spectral coefficient C{,?) is generated as a projection to its basis 
vector, i.e., the dot product C| 5 j =</, X(Si The spectral coefficient Cj.v; is 
also equal to the correlation with the following xor function: 0,^^. x/ . 
Recall that a row of the WHT transform matrix is the exclusive-or of all 
subsets ofvariables, and hence, Fourier spectrum is indeed WHT. 

The energy density spectrum ||/||^, i.e., a sum of the squares of spectral 
coefficients equals the square of the norm in the function domain. This 
property, known as the Parseval equality, follows from the orthonormality 
of the basis: 
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The Parseval equality, however, does not hold for the expansions along 
non-orthogonal bases (as in the case of Arithmetic Transform). Further 
useful properties that link correlation, convolution and spectral coefficients 
also do not hold in that case. 



Lemma 1: The Walsh-Hadamard Transform energy density spectrum of 
Boolean function f: {0,1}"— > {0,1} is proportional to: 

a) number of ones that function lakes for {0, 1 } encoding of inputs. 

h) 2" for {-1,1} encoding of inputs. 

Proof: By applying the Parseval equality, we easily obtain both quantities. ■ 

In the latter case, the energy density spectrum is the same for all Boolean 
functions. Differences in complexities among functions are attributed to the 
distribution of their powers in spectra. We consider relating the Walsh 
spectra to the corresponding spectra of Arithmetic Transform, which is non- 
orthogonal. Often used are the properties of functions whose power is 
concentrated in the low-order coefficients [84]. 

Walsh Transform can be extended to represent multi-output circuits, by 
means of their transformation to a pseudo-Boolean function. To achieve that, 
we use a function V(x), equal to the integer value that a binary output vector 
takes when considered as an integer. Given an m-bit vector V(x) 

depends on the word encoding. For unsigned integer encoding, V(x) is 

calculated as V{x) = ■ Then, the transform for a multi-output function 

/=0 

f: (0,1}"— > {0,1}'" is obtained by considering the outputs as integers in the 
range 1T=(0,2'"-I], and consequently, a pseudo-Boolean function / is defined 
as: f: {0,1}”^ IP. Then, WHT is a result of multiplying the vector of word- 
level values by the transform matrix. 

Example 18: WHT of a two-bit multiplier is generated by considering the 
function outputs. Example I as a vector of integers: f =[0 0000 I 2302 
4 6 0 3 6 9]'. The multiplication of this vector by transform matrix 7*4*^, 
results in the following transform coefficients: c = [36 —12 -24 0-12 4 8 0- 
24 8 16 0 0 0 0 0]'. Ob.serve that the .spectrum is concentrated in low-order 
part. This concentration becomes more pronounced as (he .size of the 
multiplier increases: WHT of a 4-bit multiplier has 25 non-zero coefficients 
(out of 256 coefficients in total); again, these are the low-order coefficients. 
For S-bit multipliers, only 82 out of 2*^ coefficients are nonzero, etc. 
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The above Fourier Transforms are global, as every coefficient depends 
on the function value at each point. However, it is also useful to consider 
transforms that are local. For such transforms, most coefficients depend only 
on a subset of function values. The first such example was Haar Transform 
[66], which is orthogonal and has the multi-resolution property. The 
combinations of Haar and Walsh transforms have shown to be promising 
[50]. 

4. ARITHMETIC TRANSFORM 

Arithmetic Transform (AT) is known under many names, such as integer- 
valued Reed-Muller (RM) polynomial representation [51] or probabilistic 
transform [78]. AT extends the traditional RM expansion to pseudo-Boolean 
functions, i.e., to those which have non-Boolean (e.g. integer valued) 
outputs, while the inputs remain Boolean. We have already illustrated the 
need and benefits of word level function representation on an example of the 
evolution of decision diagrams from BDDs to WLDDs. Most WLDDs of 
interest are just graph representations of AT. 

RM Transform of a Boolean function / is obtained by applying positive 
Davio expansion around each input variable x, y,..., etc. as follows: 

/ = yl.=o + -^(A=]-./1..=o)- (3) 

In the case of RM expansion, the arithmetic is performed over finite field 
GF2, i.e., modulo 2; consequently, “+” and denote the xor operation. In 
the case of AT, the notion of Davio expansion is generalized, and the 
expansion is obtained by using the word-level (e.g., integer) addition in 
Equation (3). 

Arithmetic Transform of a pseudo-Boolean function / is calculated by 
applying to each variable the expansion from Equation (3). This integer- 
valued expansion leads to a polynomial: 

/=ti (4) 

(i = 0jj = 0 (»=0 

AT expresses a function using the set of linearly independent basis 
functions defined as: 
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...X 



n-l » 



where x': = 






ij=l 

, ,; = 0 , 
[I. tj=0. 



Coefficients ,• ^ are calculated as the inner product of function / and 

the basis vector AToX,' over real numbers (however, the arithmetic is 
most often restricted to integers). 

Integer coefficients ^ are called the arithmetic spectrum. 

Arithmetic Transform is then an instance of a representation of a function by 
its spectral coefficients (spectrum). Each spectral coefficient ^ 

multiplies a basis functionXg x,'' . In the case of AT, as the basis 
consists of monomials, the transform is simply treated as a polynomial. 

AT is particularly valuable in representing arithmetic functions. To 
quickly obtain the arithmetic spectrum of such a functions, we use an 
auxiliary valuation function V(x). For instance, an unsigned «-bit variable 
X = XpX| .. x„_, , has the valuation: 

«-I 

y(x)^ I X.2'. 

/=0 



In general V(x) is equal to the value taken by a variable x considered as a 
word-level quantity. Table 2 contains commonly used integer and fractional 
data type valuations. 



Word 


Valuation V{x) 




Unsigned 


Sign Extended 


2’s Complement 






(l-2x,.,)Ix,2' 

f-O 


MO 


Fractional 


1^,2-' 


(l-2x<,)Ix,2 ' 
/=! 




Fixed Point 


t-o 


d-2xo)Sx,2'-" 

1-1 


l‘xf2'-”'-xo2'"-" 

/-I 



Table 2: Valuation Function.^ for Common Word Encodings 
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AT of an arithmetic expression is then simply equal to its valuation V{f). 
As an example, consider Arithmetic Transform of an «-bit adder = x+y. 
Here, the numerical value of the sum of two n-bit unsigned numbers x and y 
is determined as: 



/=o 

Comparing with Equation (4), we notice that this is a polynomial with 
integer coefficients representing a multiple-output function of arguments x, 
and y, where < = 0,.. i.e., its AT. As a result, AT of the addition 
operation has 2n nonzero spectral coefficients. 

In a similar way, the subtraction operation is obtained by replacing the 
arithmetic “-I-” with a sign. For example, for sign-extended encoding, the 
difference is: 

(=0 1=0 j =0 

Datapath elements such as multipliers can also be represented in a 
straightforward way by using 0(n^) spectral coefficients: 



F(x*y)=Z;r,.2'x|;y,.2' 

:=0 (=U 

This expression leads to AT coefficients after the sums are multiplied 
out. In practice, this number can be effectively reduced to 2n by keeping the 
polynomial in the above factored form. We note that multipliers have also 
been kept in factored form in representation by *BMDs and related word- 
level decision diagrams. 

The extension to the more complex arithmetic expressions is 
straightforward. Here, a multiple-output Boolean function is described by a 
single polynomial, i.e., its arithmetic spectrum. For example, AT of x + yz is 
a simple expression: 



i‘0 ;=0 MO 

For example, any finite impulse response (FIR) filter with m coefficients 
^ integer inputs can be expresses using mn 

spectral coefficients: 
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n-1 

yialX^+a2X2+...■i■a„xJ = '£(a^x^^ + a2X2i + ...-i-a„,x,„|)2'. 

1=0 

The application of AT to alternative data types results in the spectrum of 
size comparable to that for the unsigned integer encoding. 



4.1 Calculation of Arithmetic Transform 



Arithmetic Transform of an arbitrary pseudo-Boolean function can be 
formed by multiplying a vector of function values with the transform matrix 
T„. The matrix has 2^ entries, and is defined recursively as: 




7-0 = 1 . 



(5) 



Such a multiplication of a vector of function values with T„ requires 
0{2^") operations. We use this transform computation scheme for the 
analysis with other spectral methods in Chapter 6; however, there exist faster 
ways of determining AT. 




Figure 15: Butterfly Diagram for Fast Arithmetic Transform 

4.1.1 Fast Arithmetic Transform 

Computationally most efficient is Fast Arithmetic Transform, which in 
0(n2"'') time and 0(2”) space employs recursively the expansion from 
Equation (3). Similar to the other fast transform algorithms, the computation 
is performed in-place, i.e., by a repeated application of the same transform 
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steps over the data kept in the same 2" locations. Such a computation is 
described well by the means of the butterfly diagram, Figure 15. It can be 
recognized that the overall transform repeats the basic 2x2 transform block 
by which the first element is kept the same, while the second element is 
obtained as a difference between the second and the first element. This 
approach can be used in conjunction with decision diagrams for reducing the 
execution time and producing graph descriptions such as *BMDs. 

4.1.2 Boolean Lattice and AT Calculation 



Yet another way to generate the arithmetic spectrum is that of polynomial 
interpolation from the values that a considered function takes [142]. In its 
simplest form, the arithmetic spectrum interpolation is derived by 



representing pseudo-Boolean functions f '.2” — V\ by means of 

the Boolean lattice B = 2”, Figure 16. To form the lattice structure, the 
partial order relation < is defined on Boolean vectors (points in the lattice 
2'') as follows. For vectors x and y we say that y < x: if the coordinates of x 



that are “0" are the subset of 0-coordinates of y, for example, 0010 < 
Incomparable vectors exist, such as 1010 and 0110. Vectors with 
belong to the same layer in the lattice. For n-variable functions. 



layer contains 



vectors. 



j 



1010 . 



i ones 
the i"‘ 




1110 1101 1011 0111 




1100 1010 1001 0110 0101 0011 




Figure 16: Lattice Structure with Incorporated AT of a 2-Bit Adder 



Arithmetic Transform is then obtained by traversing the lattice in the 
increasing order of points. Following the interpolation algorithm in [141], it 
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can be shown that at each point x, the spectral coefficient c, is calculated by 
subtracting all the preceding coefficients from the function value at x, 
starting from the bottom values: = Cqq q and qI 

( 3 ) 

><jr 

Consider, for example, transforming the adder function f = a + h with 2- 
bit unsigned inputs: a — <7|<7o b = bfbo. Assume, that each point in the 
lattice corresponds to an assignment of inputs in the order of variables: 
a[a()b\b(j. The spectral coefficients of AT(f) are generated by applying 
Equation (3) to function values in an increasing lattice order, i.e., coooo ”^0000 
= 0 + 0 = 0, Coooi =/oooi - Coooo = 0 + 1 - 0 = 1 , cooio =/ooio • coooo = 0 + 2 - 0 = 
2, CoiM “ i andciooo ~ 2. All other coefficients are 0, as in Figure 16, where 
nonzero coefficients are highlighted. The resulting polynomial is: A7\/) = (tJo 
+ ^ 0 ) + (^i ^ 1 ) * 2. By extending this construction to n-variable 

functions, it is easy to see that for unsigned arithmetic functions, all nonzero 
coefficients of AT are in layer 1 (for adders) or layer 2 (multipliers) of the 
lattice. 

4.2 AT and Word-Level Decision Diagrams 

It is interesting to draw the relation between AT and various Word Level 
Decision Diagrams. While AT is defined as a unique polynomial describing 
pseudo-Boolean functions, WLDDs are the graph representations that extend 
the binary DDs. 

In binary DD representations, there is an apparent dichotomy between 
functional and spectral domains. Original BDDs describe functions using 
graphs in functional domain, by means of recursively applied Shannon 
decomposition, followed by the applications of ROBDD reduction rules. We 
contrast this construction to the class of Functional Decision Diagrams 
(FDDs), which are the binary DDs that represent concisely the RM forms. 
Hence, while the BDDs are the functional domain graphs, FDDs are such 
graphs of Boolean functions in the spectral domain. While in the first case 
we apply the Boolean algebra operators to express the truth tables by 
Shannon expansion, in the second case, all computation is performed over 
finite field GF2, with xor and and as addition and multiplication, 
respectively. 

By extending this analogy to pseudo-Boolean functions with word-level 
outputs, one would expect the same dichotomy between the functional and 
spectral domain representations. In the first group, we find forms such as 
EVBDDs and MTBDDs. However, most widely used WLDDs belong to the 
spectral domain graphs, including BMDs and *BMDs. It turns out that these 
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WLDDs directly represent AT of pseudo-Boolean functions. Hence, BMDs 
and *BMDs extend and generalize FDD construction over Boolean 
functions, where GF2 arithmetic is replaced by real arithmetic, restricted to 
integers. The relation between DDs is summarized in Figure 17. It is worth 
noticing that WLDD representations based on AT require introduction of 
various multiple-valued formalisms, which might be harder to deal with than 
the ordinary algebra needed for AT and related DDs. 



FuncHonsI 





T 


^truth Table ! 






'*T*' 


RM 



Boolean 



.Boolean Algebra^ 



Spectral 



Pseudo-Boolean 



EVBDDs, 

MTBDDs 






BMDs, 

•BMDs 



-rE/ 



.^lliple Valued Logj^ 



IR ■) 



Figure 1 1: Comparing Graph-based Function Representations in Functional 

and Spectral Domains 

In conclusion, AT representation is directly employed in the most widely 
used word level decision diagrams. For this reason, and because of the 
inherent properties of AT that will be used in the rest of the book, we will 
always refer to AT as a circuit representation, while in reality, it could be 
some type of a WLDDs that is used in various tools. 



Chapter 3 



DON’T CARES AND THEIR CALCULATION 



In this chapter we present the background on the ever-present don't care 
conditions in Boolean networks. In particular, we discuss various circuit don’t 
care conditions, together with the exact and approximate ways of their 
identification. The material discussed here bears a particular importance, as 
the presented methods for recognizing don’t cares will be applied in a key step 
of identifying redundant design errors. 



1. INCOMPLETELY SPECIFIED BOOLEAN 

FUNCTIONS 

In Chapter 2 we have shown few of the most commonly used Boolean 
function representations. We were assuming so far that a given function is 
fully specified for aU input combinations. This case is rarely obtained in 
practice, and if so, then for rather small circuits. 

The omnipresent structural redundancies, referred to as don't care 
conditions do not change the original Boolean function. However, they play 
significant, but widely different roles in synthesis, testing and verification. 

1.1 Don’t Cares in Logic Synthesis 

Don’t cares are widely used in logic synthesis for circuit minimization in 
conjunction with several types of function representations. The oldest and 
most traditional minimization techniques that use don’t cares were intended 
for two-level circuit minimizations and the Quine-McCluskey algorithm. In 
practice, don’t cares are helpful in minimization of any function 
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representation, including various decision diagrams and spectral 
representations such as Reed-Muller transform [141], 

Most benefits from the use of don’t cares in circuit minimization is 
obtained when considering muiti-ievel circuit representation, i.e. a network 
consisting of Boolean gates. In optimizations of such networks, widely used 
are algorithms described in [14] and [113], Multilevel minimization methods 
are globally applied to circuit represented as graphs graph. Their task is to 
minimize functions of each node in the network. Individual node 
minimization procedures in turn rely on the two-level circuit minimization 
under the presence of don’t cares. 

1.2 Don’t Cares in Testing for Manufacturing Faults 

As much as don’t cares are beneficial in circuit minimization, they 
present real difficulties in manufacturing testing. Their negative impact here 
is twofold. First, they significantly complicate the otherwise simple process 
of fault list generation. Second, some fault in parts of the circuit described 
by don’t cares may transform the combinational circuit elements into 
sequential ones, creating a real testing havoc. Getting a good perspective on 
the mechanisms behind the above two problems is essential for better 
understanding of the remaining part of this book. 

We first concentrate on the primary problem caused by don’t cares, i.e., 
generation of an irredundant fault list. Don’t care conditions in a Boolean 
circuit representation are translated into redundant hardware. Removal of 
redundant logic from the circuit does not change the functionality of the 
original design. The goal of a circuit minimization is the removal of 
redundant elements, as they do not contribute to the overall circuit 
functionality. However, in the previous section we have shown that, in 
general, it is not possible to eliminate all circuit redundancies. 

When the fault list is generated for a given circuit under test, then each 
and every element of this circuit is considered as a potential fault location, 
including redundant hardware. Redundant faults, similarly to the redundant 
elements are obsolete, and therefore should not be considered. 
Unfortunately, there is no simple way to determine which faults are 
irredundant, and must remain in the fault list, and which ones are redundant, 
and therefore should be dropped from the fault list. 

Example I: Consider the following combinational circuit realizing Boolean 
function f =a A((bvc)'vd)/\(J ® d). Now, assume that the stuck-at-0 fault 
(.s-a-0) is insertedon line “y”. Figure 18. 
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a) Circuit with redundancies 




Figure 19: Example of a Redundant ^-o-I Fault 

A.v can he seen form Table 3. y:s-a-0, which is located in the irredimdant 
part of the circuit, is detectable by three test vectors (a,h,c,d) = {(0,0, 1,1), 
( 0 , 1 , 0 , 1 ), ( 0 , 1 , 1 ,!)}. 

The situation is different in the case of z:s-a-\,Figure 19. It is not 
possible to excite this fault by generating a required value 0 on the line “z". 
Table 3 illustrates this fault is not detectable by any of the input .stimuli, i.e., 
is redundant. can he .seen in Figure 19.a this fault is associated with the 
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redundant pari ofthe circuit. Upon removing redundancies, (hefault z-'s-a-l 
is also eliminated, Figure I9.h. 
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Table 3: Truth Table for Function f and Two s-a-Q Faults 

Although redundant faults seem to be harmless, as their presence in the 
circuit does not change the original functionality of a design, it is still 
important to remove them from the fault list. If left alone, then any testing 
technique will attempt to find test patterns detecting such faults, and 
naturally will fail, as redundant fault cannot be detected even by subjecting a 
circuit to the exhaustive test set. Costly simulation time is then unnecessarily 
extended. Finally, redundant faults, when not recognized as such, are 
considered to be undetected. This effect compromises the true assessment of 
the test vector set coverage. 

There is another strong argument supporting the effort of redundancy 
removal, which is fault masking [24]. Fault masking is a real issue in the 
case of multiple stuck-at faults, where a redundant fault may mask other 
irredundant faults. 

1.3 Don’t Cares in Circuit Verification 

Redundancies in circuit verification are perceived in yet another light 
than in the case of synthesis and manufacturing testing. A circuit under 
verification is declared to be correctly implemented when the functions it 
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executes correctly are the super-set of the circuit specification. 
Consequently, all circuit hardware-realizing functions not described in 
specification can be viewed as redundant. However, from the perspective of 
formal verification, such a redundant hardware is neither used for reduction 
of circuit complexity like in synthesis, nor it is treated as an obstacle subject 
to removal like in manufacturing testing. 




Inputs 



Figure 20: Example of a Don 'i Care Location in a Circuit 



2. USING DON’T CARES FOR REDUNDANCY 
IDENTIFICATION 

In the previous section we have iOustrated three different perceptions of 
hardware redundancies in synthesis, testing and verification. Redundancies 
come handy in further circuit minimization, are undesirable in methods that 
require fault lists like manufacturing testing, and are somewhat transparent 
for formal circuit verification. Synthesis, due to impossibility of eliminating 
all hardware redundancies, tries to remove only those that significantly 
increase the size of the circuit. Manufacturing testing concerns only 
hardware redundancies that cause parts of a circuit to be untestable. Such 
redundancies are targeted in the first place, and are subject to removal. 
Testing methods, like Automated Test Pattern Generation (ATPG) can 
identify them as a “side effect” of detecting manufacturing faults. Therefore, 
goals set by synthesis and testing with respect to searching for hardware 
redundancies vary, resulting in different algorithms. 

In this chapter we present mechanisms behind hardware redundancies, 
which are common in synthesis, testing and verification. However, as the 
main topic of this book is simulation-based hardware verification, in later 
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chapters we will deal specifically with redundancies in generating of fault 
lists for hardware verification at the gate level. We will propose a spectrum 
of efficient methods for identifying redundancies in verification fault lists 
caused by the incompletely specified function characteristics. 

2.1 Basic Definitions 

All the input function combinations for which the output is not specified 
are refereed to as don’t care conditions. Don’t care conditions arise due to 
the embedding of a circuit in its environment, which is acting as a “filter”. 
More precisely, environment is blocking some input or output combinations 
from a sub-circuit embedded into a larger circuit, Figure 20. When some of 
the primary input patterns are prevented from reaching the inputs of a sub- 
circuit, then we refer to these blocking conditions as input controllability 
don’t cares. Consequently, all the obstructions in the environments that are 
filtering some of the output patterns of a sub-block from reaching the 
primary outputs are caused by observability don’t care conditions. Figure 
20. These two don’t care conditions are defined in the following way. 

Definition 8: The input controllability don’t cares (CDC/^) include all 

input patterns that are never produced by the environment at the circuit 
inputs. 

Definition 9: The output observability don’t cares (ODCs) represent all 
input patterns whose effects are not observed by the environment. 

ODC^^{xeB”\ = 

9 $ 



Figure 21: ODC Computation 

Instances of CDCj,, and ODCs can be found in nearly every digital 
circuit. Consider for example a basic datapath consisting of an «-bit adder 
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connected to an « x «-bit multiplier. The results of « x n-bit multiplications 
are always of size 2n bits. However, if the width of this datapath is to be kept 
constant, i.e., n-bit, then multiplication results are modified from 2n bits to n 
bits to fit the width requirements. Disconnecting n output bits of the 
multiplier from the datapath introduces ODCs to the system, as some of the 
patterns generated by the multiplier will never reach the primary outputs. 

2.2 Calculation of All Don’t Care Conditions 

Finding all don’t care conditions even in a relatively small circuit may be 
an overwhelming task. Therefore, there exist a variety of methods 
specializing in targeting a particular kind of don’t cares. In this section we 
present the classical methods for identifying CDCs and ODCs, which found 
an immediate application in redundant gate and wire replacement error 
identifications incorporated in our simulation-based netlist verification. 

2.2.1 Computation of Controllability Don’t Cares 

Before the formal introduction of an algorithm for identifying CDC|„ 
conditions, we start with a somewhat more intuitive example. 

Example 19: Consider suh-circuit SI, which is a part of a larger circuit C. 
Controllability and observability don't care conditions are due to 
embedding SI into the environment of C. Figure 22 shows that gates XOR 
and AND with outputs "x\” and "xi" filter some of the signals from 
appearing at the inputs of suh-circuit SI. The truth table with inputs “a” 
and “h ” and outputs “xi " and “x 2 " is generated in order to determine which 
patterns cannot he generated on lines "X{ ” and “xz " to sub-circuit SI. 




Figure 22: Example of Sub-circuil SI and its Environment C 
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Table 4: Truth Table for Determining CDC,„ 



From Table 4 we can observe that the pattern “01 ” never appears at 
inputs {xi, X 2 } to sub-circuit 51. Therefore, the input controllability don’t 
care conditions are CDC,„ = XfX 2 - 

In order to find the observability don 't care conditions, we need to 
determine which patterns cannot he propagated from the outputs {^'|, y-.\ of 
sub-circuit SI to the primary outputs {oi, 02 } of circuit C. Based on the 
circuit description in Figure 22, it is clear that AND gates connected to 
outputs yi and y 2 of sub-circuit 51 can mask some of the outputs and y 2 
generated by 51; masked outputs are denoted as dandD, respectively. 



JCi 




Vi 


V: 


O] 


02 


0 


0 


d 


D 




0 


0 


1 


d 


Vi 


0 1 


V2 


1 


0 




D 




0 


1 


1 


Zj 


Z2 




n 



Table 5: Truth Table for Determining ODCs 

From Table 5 we see that the environment masks the outputs {V), v'j} to 
appear at primary outputs {oj, (> 2 } of circuit C by setting tines {xi, Xj} to 
zero. Hence, ODC conditions for sub-circuit 51 outputs are: 



0DC = 



^1 

.^2. 



The overall don't care conditions for the sub-circuit 51 are: 



DC=CDC+0DC= 









X,Xj + X| 




' -^1 


_X|X2 +X3. 




Lxi.r, +^2. 



The above example presents an intuitive approach to determining don’t 
care conditions in a circuit. However, when dealing with larger circuits, we 
need more systematic and robust algorithmic ways of finding CDCs and 
ODCs. For computing CDCs, which we also use extensively, one also has to 
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deal with satisfiability don’t care conditions (SDCs). SDCs represent 
impossible combinations of signals at internal nodes. 

Definition 10: Assume that a circuit is given in a graph representation 
G(V,E), where each graph node V stands for a circuit gate, white each edge 
E is an internal wire connection. Then the satisfiability don’t care (SDC) 
conditions of such a circuit are defined by the set: SDC = where 

y,sV" 

is a function of a node "x” of Boolean function representation “f of a 
given circuit. 

Example 20: Consider a node in a combinational circuit petforming a 
function x = a * h. Then, an SDC condition caused by this node is: 
SDC = x<B{a*b) = x'ab + xia'+b"). 

2.2.2 Algorithms for Determining CDCs 

Once the input CDCi„ as well as SDCs are known, we can determine the 
set of output patterns, which a given circuit cannot produce. Such a set is 
referred to as output controllability don’t care conditions (CDCon)- 
inverse set ofCDCoui, (CDCgui)’ represents all the possible patterns produced 
by a circuit as a response to all possible inputs from the set (CDCh,)’. In 
other words, (CDCom)’ is an image of (CDC,n)’ under the function/ that a 
considered circuit performs. 

Internal and output CDCs can be obtained either through circuit traversal 
or image computing. Both methods rely on a circuit representation by an 
acyclic graph G(V,E). The potential problems with state space explosion 
encountered while calculating don’t care are common for both of these 
methods. We briefly introduce both of these approaches, although all of our 
methods presented in this work are actually based on the don’t care 
calculations through circuit traversal. 

CDC calculation through circuit traversal is based on the concept of cuts 
executed on the circuit represented in form of s graph G(V,E). Cuts can be 
considered as “boundaries” which are being introduced to the circuit in order 
to separate the already considered logic from the remaining part of the 
design. The network traversal is performed in the forward direction, i.e., 
from primary inputs towards primary outputs. Therefore, the initial cut is 
across primary inputs. Any new addition of a circuit graph vertices adjacent 
to the primary inputs moves the cut forward. The traversal continues by the 
topological order of vertices in a given circuit graph. To keep the size of the 
cut as small as possible, vertices whose direct successors are already 
included in the cut are abandoned. When a vertex is dropped from the cut, all 
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the variables related to this vertex are removed from the set of variables 
associated with the cut by applying a consensus operation on the local CDC 
set. The consensus of a function with respect to a variable y is a common 
factor (product) of two cofactors: •. This dependency removal guarantees 

the preservation of the parts of the CDC set which are not dependent on the 
removed variables. With every newly considered vertex, its contribution to 
the SDC set is recognized through adding it to the CDC set of a current cut. 

The following algorithm [89] performs the CDC set calculation. Let C 
denote the set of all vertices processed so far, i.e., the current cut. The set of 
all vertices dropped from the cut C is represented by D. The consensus 
operation at a node y is denoted by Cy. 

Example 21 : We apply Algorithm 3 to calculate CDCs for a combinational 
circuit in Figure 23 , where the external input DC set is 
CDCf,^ =X|(jt2 ©.*3). First, the algorithm places the cut at primary inputs, 
and assigns the current CDC set to the external DCs. Next CDC^„, is 
augmented by SDC ® (X| + X2) after moving the cut behind node "Vi 
Consensus of the CDCau with respect to variable "x\ " is: 

C,,{CZ)C,,+5Z>C,,) = 

(x, (X2 ® X3) + y, ® (X, + X2 ♦ (x, (X2 © X3 ) + y, ® (x, + X2 )]|^^ 

which is equal to Cj^^^{CDC^^„) = yfx2®x^)+yfX2’ After the second cut, the 
set SDC/2 lx added, and the corre.sponding consensus with respect to "xf 



CONTROLLABILITY {G„{V.Ej. CDCin) { 

1. C=V'; 

2. CDCat=CDCi„; 

3. for each vertex v» 6 V*® in topological order { 

4. /'add to cut C*/ 

5. C = C u V.; 

6. /* add local SDC component 7 

7. CDCcul " CDCcui + ® X,' 

8. D = {i/€ Cs.l.all direct successors o1 vare in Q; 

9. for each vertex Vy e D 

10. p remove dependencies from variables in D */ 

11. CDCcut= CfCDCJf 

12. /"drop Dfromcul 7 

13. C=C-D; 

14. , 

J5. CDCoui ” CDCcuii 
16 .) 

Algorithm 3: CDC Calculation through Forward Circuit Traversal 
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and "X}" yields the set: C^^^^{CDC^^,)~y^)>i- After another cut, only the 

SDC at node ‘V 3 " is added, and consensus operator is not performed, as no 
variable is removed. Finally, after the .second output node SDC is taken into 
account, we obtain (CDC„„) =_>',y 2 +/ 
consensus with respect to “yi ” and" y 2 the CDCo,u «•' C^j^ (CZ)C„„) = ff^- 

\ outi cut2 cuts I 



Figure 23: Example Circuit for Don 't Care Calculations 

An alternative method of determining CDCs is obtained by means of 
image computation. The implementation of this method was borrowed from 
the implicit enumeration of states in a finite state machine, and was first 
introduced for the CDC calculation in [127], If the set of input controllability 
don’t care conditions is empty, then the image of function / simplifies to its 
range. Figure 24. There, unlike forward traversal method, which starts with 
the input variables and proceeds towards primary outputs, the computation 
of the range of a given function / starts from the primary outputs. The main 
idea here is to use the output variables for the function expansion 
(calculation of cofactors) while sustaining the function representation in 
terms of its input variables. 

f 



range off 



f 



image off 

Figure 24: Range and Image of a Function 
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The range computation for the m-input and n-output function y = J{x) = 
fY with output variables [pi, p 2 , • ■ ■» Tn} performed 

recursively in the following way. For the first output variable pi, the range of 
the function /is the sum of two subsets. For example, the assignment pi = 1 
results in the range of the outputs for which pi is true. Similarly, we 
recursively calculate the range of the other components restricted to the 
subset ofthe domain wherepi is false: 




The restriction on the range is, in this case, a generalized cofactor, i.e., a 
cofactor of a given function with respect to the other function instead of a 
variable like in the case of cofactors from Shannon expansion. The range of 
function/ can be then determined by recursively expanding Equation (1) 
around all output variables of / During the entire process of calculating the 
range of / function / is always expressed in terms of its input variables, 
while the expansion is performed only around output variables off. 



Example 22: Consider again (he circuilfrom Example 21. We assume that 
the set of input CDCs is empty, i.e., CDC,,, = 0. We determine (he .set of 
CDCoui through the range computation. According to Figure 23, (he output 
vector function f(x) can he expressed in terms of its input variables as 
follows: 




where 



Pl = X|+X2, 



P2 = X2+Xj. 



If we express functions 'f ” and "fi " in terms of input variables "X| ”, “x 2 ” 
and '‘x 3 ”, then the vector function f(x) becomes: 




The range of (he function f{x) is then computed as: 
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range(f(x))=/^-range(/2\^^J-hf, ■ 

=f, ■ -- ,)-H^ ■ rangeifl --J 

=f^-range{x^x^x\ — )+J^-range{x^x^x-i 

U*! •*^3®' 

=f\ ■ range{Q) + J ■ rangeif^ + f^) 



lj-|»2r,=0^ 



=/-/2+/=yi+/2- 

The CDC„^ is an inverse of range(f(x)), and is equal to 

CDC„^, = range{f{x)) = (J + f2) = f -/j- 



The truth table of the vector function fix) presented below confirms the 
correctness of the above calculations. From Table 6 we observe that pattern 
"00 ” is never generated at the outputs of the function fix). 



X\ 


•^2 


Xi 


A 


[2 


0 


0 


0 


0 


0 


0 


0 


1 


0 


1 


0 




0 


0 


0 


0 




1 


0 


0 


1 


0 


0 




0 


1 


0 


1 


0 


0 


1 


1 


0 


0 


0 


1 


1 




0 


0 



Table 6: Truth Table for Vector Function from Figure 23 



As mentioned, computation of the range can be applied when the set of 
input controllability don’t care conditions {CDC,„) is empty. Now we 
consider the case when CDC,„?*0. Presence of input don’t cares limits a 
domain of a function /(x) to CDC^„ . Hence, Equation (1) must be modified 
in the following way to take into the account such restrictions; 

















/' 






/' 




imageif(x)) = yy ■ image 


/ 




+ yi - image 


f 






J". 


(/’=i)(coc;;>^ 




T- 


(/'=0KC'nc,.)^ 



Example 23: In the previous example we illu.strated how to obtain CDC„ui 
through the range calculations. Now, we demonstrate how input 
controllability don't care conditions influence the CDCom- Let us now 
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assume that CDCj„ = XfX 2 - The range computations is now changed to 

image calculations with the care set restricted to CDCi„ = x^ + X 2 - In this 
case a function “ff'from Example 22 is first considered in the domain 
restricted by both CDC^,^ = X^ + X 2 = \ and = jr, ^2 JTj = I . TVien. the 

domain of "fi' ^ limited to CDCj,, = X| + X 2 = 1 and 
= X^X 2 X^ =O.After applying the above restrictions we obtain the 
following image of'ff: 



image{f(x)) = f\ ■ image(f\^^^ =i).^= 1 ' 



'2|(/, = 0)(C'/X-„, = I) 






= fy ■ image{Q) + fy ■ image((i) = /, • f-^ + /, • / ^ = /j. 

Hence, the CDC,,,,, conditions for the circuit in Figure 23 under the 
restrictions of CDC, „=XyX 2 .w are: CDC„,^, =image{f(x)) = fi-Ji' 



To verify the above computations, let us generate the truth table for the 
considered function from Example 22 in the domain limited by CDCj„. 

By comparing function values from Table 6 and Table 7 we see that, due 
to the restrictions imposed by CDC„„ a function 'ff no longer takes value 1 
for the input combination (xi, xi, x^) = (0,0,1), and is equal to zero for all the 
inputs. 



Xi 


•>^2 




X, - CDCy„ 


X2 CDCi„ 


Xj ■ 


/l 
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0 
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0 
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0 
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0 
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0 
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1 
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0 


0 










1 


1 


0 


0 



Table 1: Truth Table for Image Calculations 



For efficiency, both presented methods for CDC calculation require 
graph representations such as BDDs. On the other hand, the size of BDD 
circuit representations is often exponential, motivating the exploration of 
alternative methods, presented in sections to follow. 
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2.3 Algorithms for Computing ODCs 

Observability don’t care conditions prevent values on some of the 
internal circuit lines to appear at the primary outputs. Hence, if there is a 
change on an internal line, then the ODC conditions will prevent that change 
from propagating to the primary outputs. Hence, observability don’t care set 
for function / with respect to an input variable x is simply a complement of 

the Boolean difference = ®4v=o’ = = 

Recalling the basic Boolean algebra, a Boolean difference of the function 
with respect to the variable of interest indicates whether this variable 
changed the polarity of the output. In the case of a multiple-output function 
/, the ODC set is a vector whose elements are the complemented Boolean 
differences of each of the scalar output functions of / with respect to the 
variable of interest. 

Example 24: Consider the following single-output circuit presented in 
Figure 25. Let us assume that the output ODC set is empty (ODCf = 0), i.e., 
the environment does not superimpose any restrictions on the outputs of 
considered circuit. We calculate ODCs of each of the internal nodes through 
the backward traversal from the primary output “/”. The functions of all the 
internal circuit nodes are: 

/ = 72+>'3- T2=^\+y\^ >’|=-^2+-^3- 




Figure 25: Example of ODCs in Combinational Circuit 

Then, the ODC conditions are obtained by taking into account all these 
cases when the signal under consideration cannot propagate to primary 
outputs: 
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ODC^y = 



K. 



= ( C ;': + ^ 3 )!,, ,,)®((>'2 + , f .) = -^1 + -*^ 4 . 



ODC^^ = 



ODC.. = 



^ ) = ((>'2 + ^'3 )|,,, = I )®( (>’2 + >-3 )L n ) = ' ®->’3 = J'3 = -*^2 + + ^4 . 



dy’i 



= (0'2+;^3)|,,^.|)®((.V2+y3)|,. .o^ = '®->'2=>'2=-^l+-^2+'^1 



In other words, either "xi ” should he high, or "X 4 " should be low for 
changes at the node ‘‘y\ " to he unobservable. All ODC conditions are shown 
in Figure 25. 

In order to calculate ODCs using the negation of a Boolean difference 
determined with respect to an internal variable of an interest, one needs to 
express outputs of a considered function / in terms of internal variables (for 
most of the functions such an operation would be explosive in size). One 
way of overcoming the above difficulties is to calculate ODCs by backward 
circuit traversal . By starting from the primary outputs, ODCom conditions 
are known, and depend only on the environment into which this circuit is 
embedded, rather than on a circuit itself. Then, we can compute ODC 
conditions for all the vertices of the function graph representation, which are 
direct predecessors of vertices with known ODCs. For example, if a circuit 
node Vy of a function / has previously determined ODCs (ODC,.). then the 
ODC conditions for a vertex v,. {ODCf), whose direct successor is v,. can be 
calculated as: 



/dx 



% 



+ ODC^,. 



First part of the above equation determines the conditions under which 
changes in polarity of signal x are not visible at node while the second 
part describes the already known ODC conditions which prevent y to be 
observed at primary outputs. By a backward traversal of the circuit we can 
determine all ODC conditions for all nodes, Figure 26. 

There are few details missing from the overall picture. For example, we 
did not consider the calculation of ODCs for the vertices with multiple 
fanouts. Although this problem is difficult, it can be successively resolved in 
a similar way as the one proposed. The only modification here is that now 
we have to consider all the fanout stems [89]. 

It may seem that don’t care conditions are rather scarce in a carefully 
designed system, as their presence means nothing more than a given design 
has obsolete (redundant) elements. However, don’t care conditions are the 
rule rather than an exception. Although the exact identification of all don’t 
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care conditions in a given circuit is often a challenging task, we cannot 
overlook the seriousness of storing all the encountered don’t care conditions 
due to their large volume. To overcome the above problems, an appealing 
solution is to resort to a subset of don’t care conditions. 

PhmBry Output 



ftroary Inputs 



Figure 26: Determination of ODCx of Internal Node x 

Although simple in concept, computation ofODCs by means of Boolean 
difference is often hard to realize due to the difficulties in expressing the 
function outputs in terms of internal variables. Therefore alternative 
solutions are often used. 

2.4 Approximations to Observability Don’t Cares - 
CODCs 

So far we were considering only exact ways of determining don’t care 
conditions. Although this guarantees the most precise information about 
DCs, often due to the size of a circuit and difficulties in expressing function 
outputs in terms of its internal variables, we seek approximate solutions. 

One possible approximate method to calculating ODCs is based on the 
notion of perturbed network [89], which is useful for circuit optimization. In 
the remainder of this section we rather concentrate on a general ODC 
approximation scheme that can be used for testing and verification 
applications. 

We recall that the ODC set is obtained by calculating the Boolean 
difference with respect to a node of interest. However, it is very costly to 
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calculate the exact Boolean difference, as it involves multiple XOR 
operation between the products of partial Boolean derivatives. The exact 
determination of the Boolean difference requires calculating exponentially 
many partial derivative terms: 

e ^fk ^S, ^ gVi ggi ^ 

Syj 5 ?] dyj dg^ dyj dg, dyj dg^dg^ dyj dyj 

g',4 ^gi gg2 gg, 



A widely used approximation to the OE)C set explores instead an and 
operation between the partial derivatives along possibly reconvergent paths. 
Such a calculation of the compatible ODC (CODC) sets is known to produce 
one-sided error: some ODC conditions are not identified, but the points from 
the care sets are never declared as don’t cares. The CODCs can be 
calculated by a single backward network traversal. Using an order of nodes 
in Figure 26, it can be shown that CODC computation can be performed in 
the fixed order of nodes: yi to At each step, it is sufficient to calculate a 
product of terms that include partial derivatives along all preceding signal 
paths yi, augmented with the corresponding consensus for y,: 



CODC^^ = 






,^2 






+CODC 



r 



The intuitive interpretation of the above scheme is as follows. The last 
bracket calculates the minterms that are insensitive to the node y*, hence they 
are in the don’t care set with respect to the path including y*. Each remaining 
expression in the brackets restricts the CODC set to be either in the care set 
of the node y/ that was already considered, or to be insensitive (by finding a 
consensus) to these nodes. In this way, no DC conditions are considered 
more than once, at the expense of possibly missing some DCs. 

In practice CODC sets are much faster to obtain than full ODCs. They 
are still usually represented by BDDs. However, this solution has its 
drawbacks, as the BDDs by themselves will be derived from the overall 
circuit representation and will consequently be too large to handle in circuits 
such as multipliers. 




3. Don ’t Cares and Their Calculation 



69 




n, and /?2 are in local CODCs 
by primary input assignment 



Figure 27: Compalibility Among CODCs 

Further advantage of CODCs is that they are compatible, among the pairs 
of inputs («!, 02 ) to a node in a Boolean network [113], This means that the 
value of the output will not change if the values at «| or «2 are assigned 
arbitrary value as long as they were in the local CODC sets for these signals, 
Figure 27. In other words, CODCs in a fanin of each node are mutuaUy 
independent of each other. This property does not hold for exact ODC sets, 
and we will use this compatibility property of CODCs for identifying 
redundant wire replacements in Chapter 7. 
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TESTING 



Manufacturing Testing Background 



Most of algorithms originally intended for applications in one discipline of 
electrical engineering, found a great use in other, sometimes not even related 
areas. This is certainly a case when it comes to synthesis, testing and 
verification. In chapters to follow, we will show how don’t care calculations 
are successfully used in creating fault hst for simulation-based netlist 
verification. In this chapter, however, we will introduce basics of testing for 
manufacturing faults. We will primarily focus on methods where netlists are 
subjected to either pure simulations (non-deterministic approaches), or to 
Automated Test Pattern Generation, i.e., ATPG (deterministic solutions), as 
these solutions found an immediate application to netlist verification. Other 
topics covered include diagnosis and design error detection. 



1. INTRODUCTION 

Testing is the procedure for manufacturing process verification, where 
each device is checked for the absence of defects. Detection of all defects is 
mandatory for a correct functioning of a digital circuit, as otherwise a circuit 
responds wrongly to some input stimuli. Therefore, defects can be viewed as 
sources of errors in a given design. Often, the number and types of actual 
physical errors is too large and too difficult for handling by automated tools, 
hence it is more efficient to represent them as faults, which is in a more 
abstract form than errors. 

The economic significance of testing is great, and is growing in 
importance with advances in technology and with increased device 
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quantities [32]. If a faulty device is sent to customers, potentially large 
penalties can be incurred. On the other hand, if a correct device is marked as 
faulty, the yield of the process is decreased, so again the cost can suffer 
significantly. Hence, testing is aimed at striking a good balance between 
these two scenarios [24], which is not an easy task. 

In this chapter we review algorithmic methods for combinational circuit 
testing under a single stuck-at fault model. We restrict ourselves to the 
structural methods for test pattern generation, which also found their 
applications in simulation-based netlist verification. While this formulation 
seems simple, a variety of sophisticated techniques need to be applied for 
successful and economical testing. 





Pm-Procossing Phase 



Teet Vector Simulation 



All Faulla Detected 
Dropped from Fautl Lst 
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Output Test Set Fault Coverage 
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AddVector lo Test Set 



Collapse Test Set 



Figure 28: Overview of Automated Test Generation Process 
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Testing involves a combination of pseudo-random generation of stimuli, 
simulations, and finally deterministic algorithms for generating test vectors 
that detect specific, targeted faults. Figure 28 outlines the whole process. 



2. FAULT LIST REDUCTION 

With increased circuit size, a fault lists become prohibitively large. For 
example, for n connection lines in a given circuit, the number of possible 
multiple s-a-v faults is 3" -1 . Although the number is reduced to In when the 
single s-a-v fault mode is assumed, this still translates into a large figure for 
multi-million gate circuits. Therefore, one of the key steps in testing is that 
of managing the large fault lists. 

Reduction of a fault list starts early-on during its generation, where the 
equivalence and dominance relations between faults are explored. We say 
that two faults are equivalent if they are detected with the same vector set. 
Hence, it suffices to add to the fault list only one fault from the equivalent 
set. Similarly, if all tests for a fault F also detect a fault G, then we say that 
C dominates F. Again, in such cases only F appears in the fault list. 

All these collapsing techniques, although widely used in testing, 
have not yet been adopted in the simulation-based netlist verification with 
explicit error modeling. The alternative possibility is to use implicit error 
modeling, as detailed in the next chapter. Then, many explicit faults can be 
represented concisely by the given error class, and fault collapsing becomes 
less critical. 



3. OVERVIEW OF SIMULATORS 

Fault simulations are essential to the testing procedure [24], They are 
present not only in testing and verification methods that rely entirely on 
simulations for fault detection, but the ATPG approach also benefits from 
simulations. Here, vector simulations are used in the pre-processing phase, 
Figure 28, to eliminate easy-to-detect faults from the fault list. As such faults 
often constitute a considerable portion of the list (for some circuits the 
percentage of errors detected this way may reach 80% or more), the number 
of costly ATPG runs is significantly reduced. Therefore, it is not surprising 
that much of the research effort has been put into fault simulation 
techniques, including work on the quality of test vectors as well as the 
simulators. 




74 



Chapter 4 



3.1 True-Value Simulator Types 

Simulations are commonly utilized at every stage of a design process for 
various correcmess and performance checks. They alone consume most of 
the overall computing time in the complete design process. The basic 
simulation of a correct circuit (true-value) is the most common tool for 
circuit verification at various levels of detail (abstraction). There exist 
several equally important approaches to circuit simulation, depending on the 
abstraction level used in the model. The characteristics of the most common 
true-value simulator types are summarized in Table 8. 

Most accurate and detailed information can be obtained by the circuit 
level simulations. SPICE [94] and its successors are by now standard circuit 
level simulators by which the behavior of circuits with passive (R, L and C) 
and active (transistors, diodes) components is evaluated in continuous time 
by solving differential equations numerically. 

For digital circuits, widely used is the gate-level abstraction level, where 
circuits are modeled as networks of uni-directional gates, with well-defined 
inputs and outputs. When designers are concerned with functionality (rather 
than timing) and use transistors as bi-directional digital switches, the switch 
level simulators [21] become handy. For example, designers of FPGAs 
might use such simulators for functional verification, as there is plenty of 
pass transistor switches in FPGAs. Switch level simulators treat MOS 
transistors as bi-directional switches. Logic value at a node n is determined 
by logic values of nodes connected to n through open drain-source channels 
(channel-connected components), as well as the driving strength of all such 
transistors attached to n. Please note that gate-level simulators cannot deal 
well with such bi-directional, multiple-driven signal situations. 

Most general simulators of logic are referred to as logic level simulators. 
There are several variations in representing various design parameters in 
order to accommodate a broad class of design abstractions, which these 
simulators can deal with. For example, there are several models for the delay 
accuracy (zero-delay, unit-delay or multiple-delay), as well as the circuit 
representations. For larger circuits given primarily in structural or mixed 
structural/behavioral HDL languages, RTL-level simulators are being used. 
A special class of simulators that is becoming increasingly important is the 
system level simulator. They are useful in handling systems with large 
software components where the transaction-level modeling (rather than the 
cycle-accurate timing) is used for architectural exploration. Transactions 
include processor instructions, direct memory accesses and similar 
operations. While modeling these transactions, lots of hardware 
implementation details are hidden, or not yet refined. System-level 
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simulators accept design description in high-level specification languages 
such as SystemC and System Verilog. 

With increasing circuit complexity, it is not that uncommon to have at 
some point various design blocks at different stages of refinement. For 
example, some elements may still be described behaviorally, while others 
already have a well-refined structure. Such designs are explored using 
mixed-mode simulators, which operate at several abstraction levels. 

Timing is another important parameter in circuit performance. It is being 
verified using timing level simulators, which compute node voltages in 
continuous time based on detailed transistor and parasitic characteristics 
(dynamic timing analysis). However, as the above computations are often 
very involved, some preliminary checks on the design are performed, which 
determine timing violations and critical path delays (sialic timing analysis). 
Path delays are calculated here based on the information extracted from 
netlist, without a need of complex simulations. Static timing analysis is 
therefore more plausible than simulations for timing verification. 



Level 


Input 


Timing 


Used for 


Verification of 


Circuit 




Continuous 

Time 


Analog, 
detailed timing 


Analog, some 
diaital circuits 


Switch 


Transistor 

netlist 


Zero delay 


BUI 




Timing 


Device 

netlist 


Detailed 


Detailed 

timina 


Timing 


Logic 


Gate 

netlist 


BUB 






RTL 


Structural 

HDL 




High-level 

description 


Functional 

description 


Behavioral 


HDL 


Zero-delay 


Specification 


Functional 

description 


System 


System 

Snec. 


Transaction- 

based 


Systems with 
software 


System- level 
Specification 



Table 8: Comparison of Simulation Modeling Levels 



3.2 Logic Simulators 

Logic simulations are performed at most stages of a design process. 
Although software-based solutions are most widely used, RTL and netlists 
can be also verified using hardware accelerators or emulators, with the 
benefit of significant performance improvement. The real advent of this 
method of circuit verification came with the development of FPGAs, which 
provide, fast, cheap and reasonably accurate means of design prototyping. 
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Emulations are performed close to the actual design speed, and can 
sometimes be performed in the real application environment. In contrast, 
even the fastest computers can only simulate tens of thousands of simulation 
cycles per second. Additionally, it may not be possible to simulate the entire 
design in software, due to a large amount of stimuli required. However, 
emulators also require price to be paid. Mapping a large design with 
complex timing issues onto FPGAs may prove to be quite challenging, and 
not always guarantee a circuit with timing performance close to the 
requirements. Additionally, there is always a chance that some errors in a 
prototype will be added by the mapping process. 

Common to all logic simulators is the basic simulation loop that reads 
inputs at a given time instance, obtains the logic value at all circuit nodes 
and displays outputs and internal nodes of interest to the users. To achieve 
fast and accurate simulations, several alternatives can be explored in 
designing a logic simulator. In the remaining part of this section we will 
concentrate on issues regarding software-based (true-value) simulators only, 
as this is the type of simulator typically used in netlist verification and 
testing. Known solutions differ in the way they approximate the continuous- 
time response of a circuit by discrete time models. We can distinguish three 
classes of simulators: cycle-based, event-driven and transaction-based. 

For increased timing accuracy that takes into account intentional or 
unintentional asynchronous paths and race conditions, most suitable are 
event-driven simulators. The main idea explored here is to simulate only the 
circuit parts which change for a given input stimuli. The rest of the circuit, 
being inactive for a particular input vector, is not considered. As event- 
driven simulators do not simulate inactive periods of time or parts of a 
circuit, their efficiency is high. 

Example 25: Consider an event-driven simulation given in Figure 29, 
where a unit-delay circuit in part a) is simulated for changes at input “h”, at 
time 0 (value set to 0) and 2 (set to 1). The event list is given in part h), with 
the initial events taking place at input “h", and the list being updated in 
subsequent simulation steps. Every time an event happens, the list is being 
updated as a consequence of the event. The event at node "h" triggers 
events at nodes “e” and "f" after one time unit etc. 
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Figure 29: Example of Event-driven Simulation 

During early stages of the design process, major work is done on 
independent design of individual elements of a project. However, at some 
point, the behavior of the overall design composed of well-defined blocks 
must be checked. Often, the complete design is too large to be simulated as a 
whole, and hence the problem is resolve only with partial simulations. For 
that purpose cycle-based simulators are used to verify the functionality of 
large synchronous systems where timing is not the primary concern, and it 
suffices to calculate the circuit response only at clock edges. This class of 
simulators does not guarantee correct results when designs have 
asynchronous elements, latches, etc. Whenever possible, cycle-based 
simulators are the preferred choice over event-driven tools, as they require 
fewer stimuli. 

Example 26: Consider circuit in Figure 30. Events which take place during 
the simulation of one execution loop using event-driven and cycle-based 
simulators are described in Table 9. 



Event-Driven 


Cycle-Based 


Event on 


Effect 


Event on 


Effect 


Clock input 
(rising clock 
edge) 


Loading ofRa, Rb, 
Rc and Rd with 
input vectors 


Clock input 
(rising 
clock edge) 


- Update of Ra, Rb, 
Rc and Rd 

- Selection of signals 
by Muxes 

- Addition bv adder 









78 



Chapter 4 



Event-Driven 


Cvcle-Based 


Event on 


Effect 


Event on 


Effect 


Ra, Rb, Re, 
Rd and select 
line 


Propagation through 
Muxes of contents 
of selected registers 
to adder 


Next clock 

(rising 

edge) 


Update of Rout with 
sum generated in 
previous clock 




Addition of inputs 
suDolied bv Muxes 






Next rising 
clock edge 


Loading Rout with 
sum generated by 
adder at the end of 
previous clock 







Table 9: Events During Simulations of Circuit in Figure 30 with Event- 
Driven and Cycle-Based Simulators 

Table 9 shows that event-driven simulator requires four events to simulate 
the circuit in Figure 30, while the cycle-based simulator takes two cycles. 




Figure 30: Example for Comparison Between Event-Driven and Cycle- 

Based Simulators 

From the above example, we can see that significant number of 
simulation runs can be saved by using a cycle-based simulator. However, 
there is a price to be paid for that. It is practically impossible to extract any 
timing and delay information form the simulations. If such data is needed, 
then static timing analysis must be performed on a circuit. 

In cycle-based simulators, time advances at clock edges, followed by 
response calculation throughout the netlist. In event-driven simulators, a list 
of events is maintained, and the time advances with the earliest event on the 
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list. The list of events changes dynamically and is highly dependent on the 
simulation input, unlike the cycle-based simulators. 

For simulating systems with large software components, most suitable 
are the transaclion-hased simulation engines. Transactions are usually 
described by their start and end times, the payload data, as well as the type 
of the transaction. Each software instruction (e.g., read, write) or a function 
call can be modeled as a transaction in sufficient detail with regard to its 
function and possibly overall timing. However, the exact details of 
underlying hardware signals in processors and logic are not simulated. 



4. FAULT SIMULATORS 

Fault simulations are performed to assess the value of testing procedures 
selected for a given circuit. This includes checking the quality of design for 
testability (DFT) measures, as well as estimating the effectiveness of test 
vectors in detecting faults. The latter is then used to evaluate the test vector 
set, reduce a fault list, and guide the test pattern generation. For given 
stimulus, fault simulation includes a single simulation of the correct circuit 
(i.e., true-value), followed by multiple simulations where specific faults are 
inserted into the fault-free circuit. After comparing the faulty and true-value 
outputs, we deduce which faults are detected by test vectors. 

Given sufficient time and space, one could construct a covering table 
with complete information on which fault is detected by which test vectors. 
The test generation problem would then amount to the optimal covering of 
the faults by test vectors. In reality, even for moderate-size circuits, the 
construction of such covering tables is prohibitive. In fact, common to 
majority of testing methods is the assumption that a fault is dropped from the 
fault list upon first detection, i.e., fault dropping. 

Techniques for fault simulations include many techniques for minimizing 
the number of simulation runs. In the naive approach, each vector is 
simulated «-i-l times for n faults. This can clearly be improved, as the circuit 
connectivity and signal values at many intermediate nodes change in 
miniscule (if any) ways among the simulation runs for the same input vector. 
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Figure 3/: Parallel Fault Simulation 

The most common optimization of the basic scheme includes the concept 
of parallel simulation, by which each simulation cycle deals with multiple 
circuit instances. The parallel simulator exploits a bit-level parallelism in 
performing logic operations over computer words. If the only simulator 
signal values are 0 and 1, then the number of possible simulation runs at 
each cycle is equal to the width of the computer word. For example, 
simulating an AND gate is performed by bit-wise and over the registers in 
the processor, as opposed to the same operation over only two bits. The 
maximum speedup obtained is equal to the width of the word, assuming that 
there is no fault dropping. Fault dropping somewhat reduces the speedup, 
since parallel simulation will not be stopped on first detection of a single 
fault, unlike the individual fault simulation. 

Example 27: Consider a parallel simulation for stuck-at fault detection, 
Figure 31. The fault-free and the two faulty configurations are encoded in 
three bits, and the simulation is performed over ail the hits in parallel. In 
order to treat ail the instances uniformly, additional gates have to he 
in.serted at the place of each fault. For each s-a-0 (s-a-1) fault, an AND (OR) 
gate is added with the second input being forced to zero (one) only when the 
fault is activated. Figure 32. 
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Figure 32: Parallel Fault Simulation by Gale Insertion 

An alternative way to speedup fault simulation is by deductive fault 
simulations, where only the fault-free circuit is simulated. For each injected 
fault, signal values are deduced from the fault free simulation and the circuit 
netlist. Again, since the circuit structure does not change, the deductions are 
performed in parallel. Difficulties with these types of simulators arise while 
dealing with sequential, especially asynchronous circuits [24], 

The concurrent fault simulation is the most general implementation of 
the fault simulation. It takes the concept of event-driven simulators a step 
further. Here, each detection of a mismatch from the good circuit simulation 
triggers insertion of a bad gate attached at the good gate at the given node. 
The simulation then proceeds as with standard event-driven tools, except 
that the inserted gates create events on their own. 

Fault simulations are not exclusively used in manufacturing testing. They 
are successfully adopted in simulation-based netlist verification. Parallel 
fault simulations and fault dropping can equally well be making netlist 
verification feasible. 

4.1 Random Simulations 

Fault simulations with randomly generated vectors offer an inexpensive 
way of detecting faults in a circuit under test (CUT). Although it is 
impossible to provide guarantees for high coverage (and in some cases this is 
known to be impossible), random vectors have been useful in a wide range 
of practical circuits. 

To be precise, the more appropriate name for the random patterns used in 
manufacturing testing is pseudo-random. In “random" testing stimuli, the 
appearance of O’s and I's seem to be random on the local scale, however, the 
overall sequences are repeatable (therefore not random in a strict sense) due 
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to the restrictions on the hardware used for their generation. The importance 
of randomness of test patterns prompted a development of various methods 
for its measurement. It is generally assumed that good random numbers 
should have the following characteristics (adopted after Knuth [76]): 

• Equidistribution: uniformity of pattern distribution over input space, 

• Serial: uniform distribution of groups of patterns, 

• Gap: uniform distribution of the length of gaps between numbers in 
vector subspaces, 

• Poker: a correct distribution of ^-tuples with r different values, 

• Coupon collector: correctness of a distribution of number of sequence 
values needed to obtain a complete collection of numbers, 

• Permutation: equidistribution of q] orderings in a block of length q, 

• Run: correct distribution of lengths of monotonically increasing and 
decreasing blocks, 

• Maximum of t: the power law distribution of maximum values in blocks 
of length t, 

• Correlation: close to zero correlation among numbers as well as 
autocorrelation and cross correlation between bits in the same number, 

• Visual: absence of long-term patterns and symmetries in sequences. 

Manufacturing testing must be periodically repeated during the entire 
lifespan of chips. This often leads to incorporating well-known pseudo- 
random test pattern generators on a chip as one of the elements of design- 
for-testability. Netlist verification does not impose such requirements, and 
test pattern generation happens mostly in software domain. Naturally, the 
means of implantation of a given pseudo-random generation algorithm 
(whether hardware or software) do not alter the properties of resulting test 
sets. Therefore, the contents of the following two sections, although dealing 
with pseudo-random test pattern generators used in manufacturing testing 
and implemented in terms of linear feedback shift registers (LFSRs) and 
Cellular Automata (CA), is equally applicable to simulation-based netlist 
verification. 

4.1.1 Linear Feedback Shift Registers 

A linear feedback shift register (LFSR) is a modified shift register 
(collection of sequentially connected single-bit storage elements) with at 
least one feedback loop. Its length is determined by a number of 1-bit 
memory cells used in the construction. The operation of LFSRs as cyclic 
shift registers requires that there is always a feedback loop form the last 
memory element to the first one. The task of this loop is to guarantee the 
repeatability of patterns generated by an LFSR. This and any additional 
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feedback loops feed the contents of other memory cells to the first one, using 
an XOR gate. Figure 33. 

One of the criteria for the quality of LFSR stimulus is its length. Due to 
feedback loops, a sequence generated by an LFSR of length n can be 
described by a recurrence equation. Such equation expresses the contents of 
the n* cell in terms of a combination of values stored in the first cell and all 
the other cells, which are fed back through an XOR gate. The feedback in an 
LFSR is a linear function over finite field GF2, hence the name. 

Example 28: Consider a 4-hit LFSR in Figure 33. If “b„ ” denotes the 
contents of the “m'^" cell, then the value stored in the fourth memory 
element of an LFSR is given by a recurrence equation: 
64 . Instead of describing the contents of the 'W*” 

register of an LFSR we can obtain the similar recurrence equation 
representing the value of the "m'^” term of the LFSR sequence, “a„”. in 
terms of values of other elements of this sequence. For the particular LFSR 
in Figure 33 the following equation is used to determine the “m""' term of 
the .sequence: a„ = a„.\ + a„.i, 




Figure 33: 4-Siage Linear Feedback Shift Register 

In addition to the recurrence equation for a„, a generation function can 
be associated with each LFSR sequence. A generation function is a 
polynomial of a single variable x. The sole purpose of x is to associate a time 
frame with each term a„. For example, the generating function G(x) 
associated with a sequence {a„] = {ao, a\,a 2 , ...,a„, ...] is: 

G(x) = aQ + a^x + ■■■ + a„x''-^-■■= f,a„x'". ( 1 ) 

m=0 

The generating function is an important “tool” in analyzing properties of 
LFSR sequences. It describes in a compact form the sequence {a„}. 
However, its role does not end here. It also provides a guidance on how to 
build an LFSR capable of producing a particular sequence {a„}. To visualize 
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the operation of the generating function. Equation (1) must be modified, as it 
does no explicitly provide all the required information. 

The first step is to represent every element O/,t=0,..., n of a recurrence 
sequence {Om} in Equation (1) in terms ofn remaining elements associated 
with LFSR cells multiplied by “feedback loop” coefficients, C/, /=1,..., n: 

n 

= ( 2 ) 

1=1 

Please note that the feedback coefficient Ci is 1 when a feedback loop 
exists from the cell i, and is 0 otherwise. 

Substitution of Equation (2) to Equation (1) leads to a new form of G(x): 



CO n n CO 

G(x)= I = 

<n=0/=l /=1 m=0 

/I 1 

= +... + a.,x~^ + £a„/") 

i=l m=0 

= Zc,(o.,x"' + + C(j;)). 

/=! 



Further manipulations result in the following equation: 

^c,x'(a_iX ' +... + a_|X ) 

G(x) = ^ ; . (3) 

1-Icy 

(=1 

The analysis of Equation (3) leads to a few conclusions. Now, G(x) is no 
longer expressed in terms of current elements of sequence {a„} as it was in a 
case of Equation (1). This form was a bit awkward, given the fact that G(x) 
is supposed to determine exactly the current content of LFSR registers. 
Series {a.„}, on the other hand, represent an initial state of an LFSR (seed), 
which is set up prior to the operation of an LFSR, and hence is known. 

Let us examine closer the numerator and the denominator of Equation 

(3). The numerator function: n(x) = ^CjX' (a^jX '+... + a_[X (depends on 

“feedback coefficients" Ci and seed {a.,,}. Although a set of tests generated is 
determined by an LFSR structure, the seed {a.,,} in the nominator influences 
only the order of such patterns in a particular sequence {a,,,}. Therefore, 
although the numerator determines the actual sequence of numbers 
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generated by an LFSR, however, due to the presence of a seed in its function 
it is impossible to uniquely determine the hardware structure of an LFSR. 

On the other hand, the denominator function of a form: 

n 

d{x) = 1 - bears only information related to the way an LFSR is built. 

1=1 

The denominator function is then characteristic to a given LFSR, and 
therefore, it is referred to as a characteristic polynomial. 

Characteristic polynomials play a crucial role in determining the length of 
the sequence generated by an LFSR. As stated at the beginning of this 
section, the maximum length of a sequence generated by an n-bit LFSR is 
2”-l. However, it is not guaranteed that each LFSR will actually generate 
that many patterns. In fact, only the «-bit LFSRs implementing an order 
primitive polynomial are capable of generating all 2"-l patterns, [55]. Tables 
of primitive polynomials can also be found in [4], [12], [24], 

Example 29: The LFSR in Figure 33 implements a primitive polynomial: 
d(x) = 1 + The initial seed is “01 10”. The LFSR structure, and the 

set of 15 different patterns are presented in Figure 34. Additionally, a 

sequence {a,„)~ao.a] Ou = '‘011010111100010”o/15 digits generated 

hy the fourth .stage of the LFSR is highlighted. 

d(x)=1 +x3 +x" 




Figure 34: Example of a Sequence Generated by LFSR 

Testing usually requires much larger number of vectors than 2"-l 
generated by an n-bit LFSR. Therefore, LFSR stimuli are not perceived as 
individual vectors, (S0-S14 in Figure 34), but rather as a continuous, infinite 
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sting of Os and Is taken form the last LFSR cell in Figure 34), and 
stored in an appropriate shift register (scan, for example). In that way, even a 
small LFSR can provide a required large number of pseudo-random vectors. 
Even more, an «-bit LFSR can supply test patterns to a k-input CUT, where 
n « k, Figure 35. Although this solution is hardware efficient, the quality of 
vectors is compromised. Consecutive bits in an infinite string {a„} are no 
longer independent of each other. 

Bit relations are governed by a linear recurrence equation used for their 
generation. This relation imposes linear dependency among k consecutive 
bits generated by an n-bit LFSR, where n < k. In consequence, due to 
dependencies among bits, it is impossible to supply all 2* combinations to 
the inputs of the CUT. In fact, some bit combinations will never be 
generated, compromising the effectiveness of the overall testing procedure. 
The length of the linearly independent sequence is a function of not only the 
size of a given LFSR, but also the primitive polynomial it implements [71], 
Chen in [30] proposed a way of determining probabilities of linear 
dependencies among bits. 




Figure S5: Application of n-bit LFSR Patterns to k-Input CUT 



Example 30: A 4-hit LFSR implementing a primitive polynomial d{x) - 
generates patterns to test a 3-input OR (OR3) gate for various 
single s-a-v faults, Figure 36. Assume that tests are stored in a 15-hit shift 
register (referred to as a scan register) connected to the output of the LFSR. 
The content of the register, which is the test pattern, is updated every clock 
cycle with a new hit .shifted out from the LFSR. After 15 cycles, all tests will 
he generated, and the shift register will return to the initial .state. 

As.sume that inputs "a”, “b" and “c” of OR3 are connected to the first, 
.second and fifth cells of the scan register, Figure 36. This figure .shows also, 
that the only vectors, which appear at the inputs of OR3 during the entire 
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operation of the LFSR are:[a,h,c] = {000, Oil, 101, 110}. Patterns {a,h,c} 
= {001, 010, 100, 111] will never he generated. Table 10 illustrates all 
single s-a-v faults at 0R3, which will never be detected. Included is also a 
gate replacement fault, where a gate X0R3 is placed erroneously instead of 
the original 0R3. 



Fault Type 




a; s-a-0 




b; s-a-0 


010 


c: s-a-0 


001 


OR3 replacement with XOR3 


111 



Table 10: Faults at Gate 0R3 and Vectors Needed for Their Detection 




Figure 36: Testing of 0R3 Using Patterns Generated by LFSR 

Measures taken to improve the test quality include two-dimensional 
arrays, known as 5elf-resting Using MSR (Multiple Input Shift-Register) 
and a Parallel ^ift-Register (STUMPS) [12], Such generators provide 
parallel, instead of sequential patterns - a feature highly desirable in many 
testing applications. In a typical STUMPS application, bits generated by an 
LFSR are fed through an XOR network to parallel registers (usually scan 
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registers), from which vectors are supplied to CUTs, Figure 37. Although 
linear dependencies among generated bits are not ehminated, their 
probabilities are lower than in the case of one-dimensional LFSRs. 




Figure 37: A Axi Two-Dimensional Array 



4.1.2 Other Pseudo-Random Test Pattern Generators 



Cellular automata (CA) [63] are an inexpensive alternative to LPSR- 
based pseudo-random vector generation. They are finite state machines 
realized as regular (/-dimensional arrays of cells capable of storing a fairly 
small state space and updating its state by the same rule, Figure 38. 
However, unlike LFSRs, a current state of any cell in CA depends only on 
the previous values of neighboring cells. The number of neighboring cells 
(neighbor sites) needed to generate the next value in a given cell depends, 
among others, on the dimension of CA. In a CA (and only such we 
discuss in this book) the neighborhood is restricted to two cells. Figure 38. 
Therefore, unlike LFSRs, where expansion in size requires major changes to 
feedback loop connections, CA are easily scalable. It is enough to simply 
connect more cells at the end of existing CA. 

Unlike LFSRs, CAs can have boundary conditions. For example, a l-d 
CA in Figure 38.b has a loop connection between first and the last cell, while 
CA in Figure 38.c has null boundary conditions (the first and the last cell are 
always reset to 0). 
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Another dissimilarity between LFSRs and CA is related to the 
initialization. Initialization is required in both cases. However, the initial 
vector does not have any influence on the length of patterns generated by an 
LFSR. On the contrary, initial values of CA are one of the deciding factors 
in determining the number of different vectors generated. There are two 
heuristic approaches to initializing a CA. First, one can assign random 
values to CA cells, with equal probability of “0”s and “l”s. Another way is 
to assign all zeros except in one, often central, cell. Initial patterns for the 
maximum length generators by a given CA can be determined 
experimentally. 

Example 3i: Consider a simple \-d CA with the cell structure presented 
in Figure 38. c. Cell 4 generates a next state based on the current states of 
itself and neighboring cells 3 and 5. At time “i” there are eight possible 
current states S, of cells 3,4 and 5-5, = {Sf,S*,Sf } = {000, 001, 010, 
Oil, 100, 101, 110, 111}. The next states of cell 4 are generated as modulo 2 
addition of cells 3 and 5: =Sf^Sf = {0, 1, 0, 1, 1, 0, 1, 0}. 




Figure 38: Examples of 1 -Z> CA: a) N-Cell. b) Cyclic Boundary Conditions, 
c) Null Boundary Conditions 

Possible next states of a given CA ceU can be described by rules 
introduced by Wolfram, [137]. Rules are simple Boolean equations, which 
relate a present state of a cell m and its two neighbors to the next state of m. 
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The update rules for CA are often described by an integer obtained by 
enumerating all the next state values and reading them out as a single 
number. For example, the one-dimensional CA rule by which the state 
becomes one if both its neighbors are 1 is enumerated as: 

XrA{t)xAt)xni{t) 111 no 101 100 Oil 010 001 000 

Xr(/+1) 1 0 1 0 0 0 0 0. 

The rule is read out as the decimal value of the bottom row: 2' + 2^= 
128+32=160, and it is a decimal representation of the transition function 
between neighboring cells. Rules can be transformed into primitive 
polynomials similar to these implemented by LFSRs. In fact, Senra et. al 
have proven in [117] that one-dimensional hybrid CA and LFSRs 
implementing the same primitive polynomial are isomorphic. 

The behavior of CA can be classified into four general classes. Class 1 
includes CA that in the process of generating pseudo-random patterns 
progress towards homogenous final global state. Class 2 deals with CA that 
evolve to periodic structures. To class 3 belong all these CA that behave in a 
chaotic way. Finally, class 4 comprises CA with complicated propagation 
structures. Due to the fact that the sequences generated by the first two 
classes ate very predictable, their value as pseudo-random pattern generators 
is poor. On the other hand, class 3, according to Wolfram, is an abstract 
representation of random models found in nature, and therefore, very 
valuable as pseudo-random pattern generators. 

Example 32: Examine CA implementing rule 30, 45 and 90. These rules 
illustrate, among others, how the length of patterns generated by CA 
implementing them varies, in spite of the fact that Boolean equations 
governing their operations are similar. 

Rule 30. This rule uses the following Boolean equation to generate a 
next stale value of cell S in a one-dimensional CA: 

® Figure 39.a. Observe that the value of S at time 

t + 1 depends not only on the .states of two neighboring cells 5* ' and S' at 
time “t”. hut also on the current value of S itself. The properties of this rule 
have been first described by Wolfram in [138]. P.seudo-random patterns 
generated that way have lower quality that tho.se obtained by an LESR of the 
.same length “n ". Additionally, the sequence is much shorter than that of2"- 
1 resulting from an n-bit LESR implementing a primitive polynomial (the 
sequence structure has a cyclical character, however, the cycle period is 
much .shorter than that of 2”-l). 

Rule 45. This is a slight modification of rule 30 [138]. The value of a cell 
at time /+! is determined using the information at time “r” taken from two 
neighboring cells S'' and S*'a.s well as the cell S itself: 
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S'/_,.j = 5',* ^ ‘^{S['uSl*^)^Figure 39. h. Although the Boolean equation 
describing this rule is very similar to that of rule 30, lengths of cyclical 
patterns obtained that way improve compared to these generated by rule 30. 
The disadvantages include deteriorated randomness properties among 
patterns compared to those obtained by rule 30. 

Rule 90. Implementation of this rule, Sl^_^ = ® S^'*'\Figure 39.c, in 

an n-cell CA result in the maximum length sequence, 2"-l. Although, 
similarly to rules 30 and 45, patterns obtained this way fail some random 
number tests, the length of the .sequence cycle, as well as the simplicity of 
implementation makes this rule a good alternative to LFSRs of the same 
length. 





Figure 39: Implementation of CA Rules 30, 45 and 90 

Although LFSRs and hybrid CA implementing the same primitive 
polynomials are isomorphic, the latter outperforms the former when it comes 
to the quality of randomness of test vectors. The quality of test patterns 
improves even further when two-dimensional CA are used [33]. 

CA as well as LFSRs found their application in testing as inexpensive 
generators of pseudo-random, pseudo-exhaustive and weighted patterns. 
Tests obtained that way are good not only in detecting s-a-v faults, but they 
work also for fault diagnostics. The algorithms behind LFSRs and CAs 
implemented in software perform fairly well as sources of vectors in 
simulation-based netlist verification. 
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Arithmetic Generators. Another innovative hardware solution resulting 
in pseudo-random number sequences obtained by employing arithmetic 
circuits already present in CUT as number generators [99]. The main idea 
explored here is to structure a test kernel around arithmetic circuits like 
adders, ALUs, multipliers, multiply-and-accumulate loops, shifters, etc., 
which are common to most DSP circuits, Figure 40. The test kernel is then 
used to implement complex testing functions of test pattern generation 
(compaction). Test programs implemented by test kernels adopt additive 
congruential generation scheme of pseudo-random numbers. For example, 
given an n-bit datapath consisting of an adder whose output is connected to a 
register (accumulator structure), a pseudo-random sequence can be 
generated according to the simple equation: Aj — Ai.] + C (mod 2"). Ai is the 
content of the register at time i, while Ai.] is the contents of the accumulator 
register at time f-1. C is an additive constant. At the end of the each iteration, 
an accumulator A contains the new test vector, which then can be applied to 
other blocks of datapath. Constant C plays an important role in the overall 
quality and length of test patterns. When selected appropriately, the 
congruential generation scheme results in 2" vectors. 




Figure 40: Example of a Datapath 

Software Implementations. An alternative to hardware is the software 
implementation of random number generators. Several families of generators 
exist in practice, including a traditional linear congruential generator [76] 
that generates random numbers in a sequence: x„ = a*x„.\ + b. Additive 
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pseudo-random number generators described in the previous section belong 
to a simplified version of congruential generators, where the multiplicative 
constant a = 1. Obviously, there are some linear dependencies among 
vectors obtained this way. 

Significantly more complex random vector generators can be used in 
random simulations by software means. Vectors can be biased to cover the 
subspaces of interest better, for either testing or verification uses of 
simulations. Furthermore, in complex circuits there is a large number of 
constraints that such test vectors must exhibit. For example, while simulating 
a networking device, the input must be a valid packet rather than a random 
combination of zeros and ones. Even harder might be to know the right 
output to such random stimuli, as complex systems depend on the long 
history and might not even be deterministic. For this reason, random 
simulators for verification invariantly end up being complex [139]. 

4.1.3 Final remarks 

Common to all random simulations is the absence of any guarantee on 
the test coverage. Further, many circuits of interest are known not to be 
random testable, particularly for the sequences of patterns with the equally 
probable distribution of Os and Is. In the latter case, it is often helpful to 
subject circuits to biased or weighted random patterns, in which the 
probability of appearance of Os and Is is different than 0.5 [114], or to bias 
the system to increase the chance of exercising the events of interest in 
verification. 

The effectiveness of random patterns in detecting netlist errors is similar 
to that of s-a-v faults. Some circuits exhibit resistance to random patterns, 
while others test better with random stimuli, with the coverage of gate and 
wire replacement errors approaching 80%. The fault coverage of netlist 
errors can vary by few percents depending on the randomness of tests. 
However, no drastic improvements can be expected depending on the actual 
algorithm used to obtain pseudo-random patterns. Software versions of 
LFSR, CA or conniential number generators give similar results. 

Therefore, as fault coverage is not high enough to rely solely on random 
stimuli, random patterns in netlist verification can play only a supportive 
role, while some other test generation techniques are used as main 
approaches. For instance, in Chapter 6 we will present the test generation 
scheme that produces stimuli as easily as random methods, yet with provable 
bounds on detecting the implicit error model given by additive AT of small 
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5. DETERMINISTIC VECTOR GENERATION - 

ATPG 

The required test set is significantly smaller when using deterministic 
instead of pseudo-random methods for vector generation. However, since the 
problem of test pattern generation is already NP-Complete for combinational 
circuits (sequential circuits are even more difficult to deal with), algorithms 
of polynomial complexity are not likely to exist. Sophisticated heuristics are 
required to make the Automated Test Pattern Generation algorithms fast and 
practical. 

A typical ATPG algorithm consists of two phases, Figure 28. Initially the 
CUT is subjected to simulations with pseudo-random test patterns. The main 
goal here is a cheap detection of as many faults from a fault list as possible. 
Any pseudo-random test generation methods, like the ones described in 
previous sections, can be applied here. Overall, this stage is executed as any 
standard simulation-based testing. 

The remaining faults form the fault list, which were not detected by 
simulations are subjected to the second, deterministic phase of ATPG, 
Figure 28. In order to realize this stage, all modern ATPG algorithms require 
dedicated data structures to describe CUTs. Most commonly exploited are 
binary decision trees, and their derivatives described in Chapter 2, Section 
2.1. Deterministic search algorithms, which work most effectively on tree- 
like data structures, are employed here in order to find a test vector for a 
given s-a-v fault. Although APTG search algorithms may differ in details, 
common to all of them is an implicit search of a tree structure. Such search 
algorithms, which often require exploring of the whole binary tree 
representation of a CUT are main contributors to the complexity of ATPG. 

5.1 Deterministic Phase 

The basic elements of any ATPG search algorithm involve the following 
steps: sensitization, excitation, justification and implication propagation, as 
shown on an example circuit in Figure 41. The faulty signal first has to be 
excited, or set to the value opposite to the stuck-at value. In order to detect 
the presence of a fault from the values at primary outputs, sensitization is 
required as a means of propagating the faulty signal(s) to the outputs. The 
side-effect of the first two steps is that the signals at lines other than the 
outputs and the faulty signal have to be justified, or assigned suitable value. 
Finally, the implication procedure propagates the obtained assignments 
through the path from the fault location to primary outputs (forward 




4. Testing 



95 



direction). The test vector is obtained if there is no inconsistent or conflicting 
assignment. 

Example 33: In Figure 41, the justification and implication steps produce 
non-conflicting assignment (d= 1 and /=0) for the inverter input signal, 
hence the obtained vector can test the fault. Had there not been an inverter, 
thefault at line “a ” stuck-at-Q would have been untestable. 
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Figure 41: Basic ATPG Steps 

There are also algebraic ATPG techniques, which explore the notion of 
Boolean difference in calculating a test vector. Satisfiability , discussed in 
more details in Chapter 2 Section 1.3, is another example of such methods. 
However, the majority of ATPGs used for s-a-v fault detection explore the 
circuit structure while searching for test vectors. 

Structural ATPG algorithms have their origin in the D-Algorithm 
developed by Roth at IBM [110], The algebraic underpinning of the D- 
Algorithm lies in the use of the 5-valued logic for describing signals on the 
lines affected by a fault. These are: the correct signal values (0, 1), 
unknowns (X), and the two symbols D and D' for s-a-0 and s-a-1 
respectively, marking the presence of a fault effect on a given signal line. 
Logic operations on 5-valued signals are governed by the D-Calculus. This 
calculus is specially derived for the propagation of 5-valued signals through 
circuit digital gates. Therefore, it includes logic operations such as inversion, 
and, or and similar. The truth tables for logic operations can be easily 
established from the basic principles: in every logic operation that involves 
an X signal and other operand, of a non controlling value (e.g., 0 in AND 
gate), X takes a priority and the result is an X. Examples for the inversion 
and and operations are shown in a truth table. Figure 42. 
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Figure 42: Example Logic Operations in D-Calculus 

The original ATPG search algorithm applies the Z)-Calculus to achieve 
the four essential steps in detecting each fault. In the language of the D- 
Algorithm, a fault is first injected (set-up). This means that an output of a 
gate with an associated s-a-v is assigned value D (to represent s-a-0) or D' 
(for s-a-1). The fault is then excited by selecting an appropriate excitation 
stimulus at the gate inputs. 

Next, the CUT is topologically examined in order to determine a unique 
sensitization path from the fault location to the primary outputs. If such a 
path exists, then D (/>’) is propagated along it to primary outputs. During 
that process first necessary assignments of O’s and I’s are executed on the 
lines critical for the propagation of the faulty signal to primary outputs. This 
process is referred to as path sensitization. All the remaining assignments of 
non-critical signals on the remaining lines along the critical path are 
performed through implications from the path sensitization assignments. 

The propagation of a faulty signal D {D') to the primary output is called a 
D-drive, and all gates that have been reached in this forward traversal belong 
to a D-frontier. In other words, a D-frontier consists of all gates having an 
output at X and at least one input at value D or D\ Figure 43. Implications 
due to the D-drive are performed until D {D’) reaches primary outputs. In the 
intermediate stages of the execution of ATPG procedures, the D-frontier 
indicates how far a faulty signal propagated so far towards primary outputs. 
When the D-frontier reaches primary outputs, this means that there are no 
unjustified signal assignments along the path, which would obstruct the 
observation of D {D') at the primary outputs. 

Similarly, the backward propagation of a fault excitation towards 
primary inputs is called a 7-frontier, Figure 43. If a y-frontier reaches 
primary inputs, it means that there are no unjustified signal assignments 
along the path, and an excitation vector can be generated in terms of primary 
inputs. Hence, ATPG generates a test vector if D- and y-frontiers reach 
primary I/Os. 
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Unfortunately, for many faults non-conflicting assignments of all the 
signals along the critical path between fault location and primary I/Os are 
difficult to find on a first trial. When conflicts happen on internal lines 
(detected through consistency check), then the algorithm must backtrack to 
that place in the CUT where no conflicts were yet encountered. Then 
alternative assignments are tried along the path between the place where the 
algorithm backtracked and the primary outputs. This backtracking 
procedure, and in particular the investigation of several possible signal 
assignments before non-conflicting ones are finally obtained, is the major 
contributor to the complexity of any ATPG algorithm. The original D- 
Algorithm is summarized below. 



for each s-a-v fault in CUT{ 

/* of D(D'j"/ 

if s-a-0 

assign value D to faulty line 
if s-a-1 

assign value D' to faulty line 
until D (17) reaches primary ouputs ( 

implication (forward and backward traversal) 

D-Drive 

J-Drive 

Consistency_check 

) 

} 

Algorithm 4: D-Algorithm 



Example 34: Consider an s-a-1 fault at an internal line in Figure 43. The 
execution of the D-Algorithm resulting in a test vector for the above s-a-v 
fault involves the following steps. First the D-drive propagation is 
performed one gate at a time, until the signal D’ reaches the primary output 
"f’. Then, the consistency check is performed through justification of 
unju.stified internal lines. In our example these are the signals “d" and "e". 
If such a consistency results in a conflict, an alternative path from the fault 
location to the primary outputs is selected, until a non-conflicting .solution is 
found or all possibilities have been exhausted. A similar procedure is 
executed for the backward traversal of the excitation .stimulus from the fault 
location to the primary inputs. Here, values at lines “c", “b", “a", "xi" and 
"xf' are checked for conflicts in that topological order. When the 
as.signments along the paths to primary I/Os are con.si.stent, as in this 
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example, the values of the primary inputs are inferred - in this case, the 
possible test vector is (a:|, Xi, X 3 ) = 01 1 . 




I D-fron^' 



Figure 43: Example of D-Algorithm 

5.2 Search for Vectors 

In the previous section we signalized the need for a backward 
propagation procedure when a conflict in signal assignment is reached along 
a critical path. Example 34 illustrated a case when a conflicting assignment 
of intermediate signals is encountered during the propagation of the D' from 
the fault location to the primary outputs. Another situation involving a 
backtracking routine is during the unresolved assignments of signals along 
the path propagating fault excitation assignments to primary inputs. 

A backward propagation procedure is one of the most costly elements in 
every ATPG algorithm. In fact, it is a major factor distinguishing among 
various ATPGs, as the overall search through the solution space depends on 
how the backtracking is performed. The D-Algorithm backtracks the values 
assigned to nodes in the reverse topological order, from outputs to the inputs. 
Later analysis showed that the D-Algorithm causes excessive backtracking, 
especially for reconvergent paths with XOR gates. 

The successor algorithm - PODEM [55] primarily focused on the 
improvements in backtracking. Its major contribution was by performing a 
backtracking search only among the input value assignments rather than all 
the signals. PODEM search is then performed via a decision tree whose 
nodes are the assignments of primary inputs. This automatically resulted in 
the smaller search space, and had eliminated some of the inefficiencies of 
the D-Algorithm. However, PODEM was often not capable of recognizing 
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some signals along the critical path, which values were uniquely determined 
and could be assigned immediately. Later algorithms, such as FAN [53] and 
SOCRATES [116], alleviated that problem by developing a technique for 
finding assignments of uniquely determined signals. Values of such signals 
were determined based on immediate implicants - a much cheaper solution 
compared to the backtrack search explored in these cases by PODEM. 
Implications were then added to guide the backtrack search for other, non- 
unique signal assignments. Further improvements include the use of 
testability measurements for guiding the heuristics. 

Example 35: Consider four haste gates AND, NAND, OR and NOR. A single 
cube describes the ON-sets of AND and NOR gates: = and 

= A*B , and the OFF-sets of NAND and OR gates: 
f^^^D^A,B) = A*B and fg^^ {A,B) = A* B . Figure 44. In fact the above 
cubes serve as the .set of input signals, which uniquely determine each gate 
function. The.se cubes enumerate the implications and choices used in the 
search process. When there is exactly one cube (implicant) de.scrihing a gate 
function, as entries in the top rows in Figure 44, then the unique gate inputs 
assignment is implied. Otherwise, the choice is made during the search that 
can he reverted upon the conflict. For example, if the output “/” of a NAND 
gale is .r-a-1 (and hence required to he set to 0 to excite the fault), then the 
primitive cube reflecting that fault is the one for which f is 0, i.e., (A,B) ~ 
(1,1). This happens to he a single cube describing the OFF-set of an NAND 
gate, which implies the assignment of inputs A and B, Figure 44; therefore 
no search is required here. However, search will he needed for detecting an 
output “/” of a NAND gate .s-a-0, as in this case there is no unique cube 
de.scrihing the ON-set of NAND. 



mo 09 NOR 




Figure 44: Implications and Decisions at Elementary Gates 

Not surprisingly, ATPG found its appheations not only in manufacturing 
testing, but also in simulation-based netlist verification. Hayes et al. [8] have 
shown that this approach works well in identifying single gate replacement 
errors. Their method required a representation of each correct gate and a 
candidate for an erroneous replacement in terms of a group of single s-a-v 
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faults. Then the multiple runs of ATPG are called on a circuit under 
verification to find a test pattern detecting at least one of such s-a-v faults. 
This method is presented in more details in Chapter 5, Section 3.1.2 

Although the underlying fault model in Hayes' method was that of s-a-v 
faults, this is not a necessity for using ATPG in netlist verification. ATPG 
can be successfully used for other than s-a-v fault models, as long as what is 
needed for a fault detection is its excitation at its location, and then 
propagation of the excitation pattern to primary inputs and fault effect to 
primary outputs. 

5.3 Fault Diagnosis 

The detection ofa fault, particularly in multi-chip designs, often requires 
a diagnosis of at least its location. Once identified, a fault cause can be 
removed through circuit correction, or a replacement of a faulty part. 
Regardless of a method involved in fault detection, testing alone provides 
too httle information for diagnosis. All we know is a test vector detecting a 
fault. Neither the fault type (s-a-0 or s-a-1) nor its location can be deduced 
from testing information, as a given test vector can potentially catch many 
faults. In fact, from testing perspective, it is desirable to maximize the 
number of faults detectable by each vector, as this, in turn, minimizes the 
size of a test set. Hence, the compaction of test sets compromises fault 
resolution - a vector will now at most point to a set of faults detectable by 
this given stimulus. Therefore, some additional steps must be undertaken to 
diagnose the cause of the failure in a circuit. 

In the case of manufacturing faults, the diagnosis techniques often 
involve a construction of a fault dictionary. The fault dictionary associates 
with each fault a set of vectors that uniquely identifies the fault. Then the 
diagnosis of a fault amounts to finding a unique combination of test vectors 
that detects the exact location of the fault. 
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Table 1 1: Fault Dictionary Example 



Example 36: Consider a fault dictionary for a set of seven faults Fl-Fl 
detectable by four test vectors Vl-VA, Table U. Information on the fault 
detecting capability is encoded by placing a “1” in the intersection ofa 
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vector row with the fault column corresponding to the vector and the fault, 
detected by it. From the above table, we can see that vectors V2-V4 are 
sufficient to detect all seven faults. We then say that V2 to V4 cover all the 
faults. However, to uniquely identify each fault, even all four vectors might 
not he enough. For example, F'i is diagnosed when all four vectors are 
applied. Vectors Kl-VS detect the fault, while V4 fails to do .so. This creates 
a “blueprint" for a diagnosis of F3. However, faults F4 and F6 cannot he 
differentiated even by all four vectors, as the two columns are the same. 
Furthermore, if only a subset V1-V2 is applied, then F3 and F5 cannot he 
distinguished as well. In general, for a complete diagnosis one must ensure 
that all the columns of the table differ and that ail the distinguishing vectors 
have been applied. 

Although this approach is rather natural, it is often impractical, as 
maintaining the exact and complete fault dictionary might be impossible 
even for small circuits due to the size of a fault hst. We will consider more 
realistic techniques in the context of design error detection and correction in 
Chapter 5. 



6. CONCLUSIONS 

In this chapter we reviewed manufacturing testing techniques, which find 
a direct application to simulation-based nethst verification. The core of 
every simulation-based method is structured around an algorithm for test 
pattern generation. Even if elaborated techniques are used for obtaining 
required tests, random simulations are often the simple and reliable 
solutions. They can be used to eliminate the presence of easy-to-detect 
faults, or to help in establishing the quality of the more complex test 
generation schemes. Therefore, we believe that familiarity with pseudo- 
random test generation techniques is important for developing any 
simulation-based method. 

As we illustrated in this chapter, pseudo-random test generation 
algorithms can be easy to implement either in software or in hardware, 
depending on a need. Unfortunately, such algorithms often do not guarantee 
stimuli of the quality satisfactory for a given application. For example, 
patterns obtained by LFSRs can be linearly dependent, which prohibits the 
appearance of some tests. This is particularly undesirable when LFSRs are 
used to generate stimuli for pseudo-exhaustive testing, as in such cases 
exhaustive sets of vectors are needed. Other frequently used pseudo-random 
generators - Cellular Automata - are also not free form the problem of linear 
dependencies. Additionally, autocorrelations and cross correlations among 
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patterns can significantly influence the length of resulting stimuli. Therefore, 
it is important to check the quality of random patterns, using for example 
standards proposed by Knuth [76], before applying them to testing or 
verification. 

In the case of unsatisfactory randomness properties of tests, various 
techniques can be used to improve some parameters. The addition of a linear 
phase shifter (a tree oiXOR gates) [12] between a one-dimensional LFSRs 
and a shift register used to store LFSR patterns is one of the low-cost 
solutions. In the case of CA, the randomness quality of test patterns 
improves significantly for two-dimensional CA. 

In many testing and verification techniques (pseudo-random) simulations 
are a significant, but not the only element in detecting potential errors. 
Important are also the deterministic methods, including ATPG schemes, 
which in relatively short time can provide a compact deterministic vector set 
for detecting manufacturing faults. Deterministic testing techniques gained a 
lot of momentum in simulation-based netlist verification, after Al- Assad and 
Hayes have shown in [8] that gate replacement errors can be modeled as a 
collection of single s-a-v faults. As a result, some manufacturing testing 
techniques can be successfully explored in gate replacement fault detection. 
Work presented in [8] serves as a good example of how testing methods can 
serve as blueprints for developing effective verification mechanisms. 

However, some caution is always advised in adopting testing methods to 
verification. Even if the two share the same fault model, as it is in the case of 
gate replacements represented by s-a-v faults [8], there are still some minor, 
but fundamental differences. Netlist verification is one of the stages of 
checking the correctness of a design, cuid once successfully completed, it is 
not repeated. Testing, on the contrary, is an on-going process repeated 
periodically during the whole lifetime of an IC. This gives verification an 
edge over testing when it comes to selecting a good method for pseudo- 
random pattern generation, as the compactness of hardware implementation 
is not required. Therefore, depending on vector generation needs, more bold 
improvements to existing pseudo-random test generation algorithms could 
be applied. 




Chapter 5 

DESIGN ERROR MODELS 



Fault Model Background 



In this chap(er, we review the existing fault models for verification by error 
modeling. Explicit error classes as well as methods for their detection are 
addressed. We then introduce the concept of implicit error modeling, similar 
to the channel models in communication systems. The implicit model will be 
used henceforth in our netlist verification method. 



1. INTRODUCTION 

Majority of engineers view verification as a process of checking 
correctness of a design, which is at a higher level of abstraction than a 
netlist. It is rightfully assumed that humans are more prone to errors than 
automated tools. Therefore, all the stages that require heavily manual 
interaction can be potentially erroneous, and need a thorough checking. 
Unfortunately, in order to accommodate present-day circuits, the complexity 
of synthesis algorithms increases dramatically. Even with the best of efforts, 
automated tools contain bugs, which can be dormant for many applications, 
and then suddenly show their negative effects. In consequence, the 
flawlessness of synthesis tools cannot be taken for granted, prompting the 
need for netlist verification. 

Another strong argument in favor of checking the correctness of gate- 
level designs comes from the fact that human interaction at this stage cannot 
be completely eliminated. There are routinely repeating cases when 
designers must alter netlists. A few examples of such situations are: 
engineering of particularly complex and critical elements, handling small, 
late changes to the original specification, modifications to original designs to 
accommodate needs of new customers, and insertion of design for testability 
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to improve circuit testability. Finally, when a circuit does not match the 
performance parameters like timing, area or power dissipation, the required 
changes to the netlist might be out ofreach for automated tools. 

Due to ever-increasing circuit sizes, formal approaches are believed not 
to scale well for gate-level circuit representations. The alternative is to use 
simulation-based verification. Unlike higher levels of design abstraction, 
typical design errors in netlists are more structured, and could be represented 
by fault models. This fact indicates the feasibility of simulation-based 
methods, however it does not make the effort easier. A fault model still 
needs to be found! 




Figure 45: Design Process and Qualily (source: Aas et a!., [2]) 

Although the concept of a fault model is an integrated part of 
manufacturing testing, in may seem a little bit out of place in verification. 
After all, most of the verification approaches, either formal or simulation- 
based, confirm the correctness of a current design stage by comparing it with 
the previous, already checked phase. Therefore, it may seem that there is 
little room for a fault model. However, this perception is not completely true 
when it comes to non-exhaustive simulations, and netlist verification is one 
such case. Naturally, we can verify netlists by running the simulation-based 
comparison between gate-level and register-transfer level (RTL) forms, 
where the last one represents the pre-synthesis design. Such a comparison 
would be a reliable way of design verification only when it is feasible to 
subject circuits to exhaustive simulations. As this is nearly never the case, 
we cannot be sure, what percentage of the netlist was covered by a given test 
set, and in consequence we cannot have high confidence that the netlist is 
correct. However, if fault models representing all the possible errors in the 
netlist are given, then by simulating the netlist under such a fault set, we can 
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be sure that the netlist is verified. The other way of looking at the matter is 
to treat a fault model as the means to assess the quality of a non-exhaustive 
test set. 

Although there has been a substantial research aiming to establish a 
netlist fault model, there is no standard model yet. Our approach presented 
here only partially depends on the foundations of the existing design error 
models to build techniques largely independent on actual error models. We 
start this chapter by introducing and reviewing explicit modeling of design 
errors based on work by Aas, Abadir, Hayes and others. Netlist eirors 
represented explicitly bear some resemblance to stuck-at value (s-a-v) faults 
in manufacturing testing - in fact, it is possible to represent the majority of 
netlist errors by multiple s-a-v’s. Then, well-established methods can be 
borrowed from manufacturing testing for their detection. 

Some of the major shortcomings of explicit error modeling are: the size 
of the fault list, incompatibility of different error classes and large sets of 
redundant errors. The proposed solutions to these problems include the 
representation of netlist errors implicitly. In the second part of this chapter 
we introduce implicit modeling of explicit netlist error classes. Our implicit 
model employs spectral representation, such as Arithmetic Transform. 



2. DESIGN ERRORS 

Errors committed at a netlist level differ significantly in their character 
from all other errors considered in design verification. In fact, due to their 
uniformity across all designs, they are closer in nature to manufacturing 
faults. Therefore, it is possible to come up with their abstract representation, 
and by that significantly simplify the process of finding test vectors for their 
detection. 

Netlist errors affect the building blocks of a netlist, which are gates and 
wires. Therefore, we can treat them explicitly, similar to manufacturing 
faults. Additionally, as we will show later in this chapter, netlist errors can 
also be successfully represented implicitly, as well as their counterparts at 
the higher levels of design abstraction. However, in the latter case it is often 
impossible to come up with the representative explicit fault models due to 
the lack of uniformity among errors. 

To consider netlist errors explicitly, we need to establish an abstract fault 
model representation. As there are yet no standard models of such errors, 
then for error modeling purposes, we use the published classifications in [3], 
[8], [25] and [135]. Since there are often restrictions on publications of 
errors in industrial designs, most of the available data is based on University 
projects. 
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A study of microprocessors designed in academia during a period of few 
years [26] shows that a large majority of gate-level design failures consists 
of erroneous replacements of a gate or wire in a network with another gate or 
wire, respectively. In particular, it was shown that by applying recent design 
flows, 98.9% of all design errors in DLX processor, and 94.2% of errors in 
PUMA floating point units fall within this class. Additionally, authors in [2] 
reported that 97.8% of design errors that occur during the manual 
interventions belong to an error model of gate and wire replacements from 
[3]. For example, the following statistics regarding the frequency of the 
design errors was determined based on the industrial and academic design 
data gathered in [26]. 



Error Category 


Frequency ]%] 


Wrong signal source 


32.8 


Missing instance of gate/module 


14.8 


Missing input 


11.5 


Wrong gate/module type 


9.8 


Unconnected (floating) inputs 


8.2 


Missing latch/flip-flop 


6.6 


Conceptual error 


4.9 


Extra inversion 


1.6 


Wrong bit order 


1.6 


Other 


16.4 



Table 12: Design Error Distribution in University Designs Reported in [26] 

More recently, an independent investigation of design errors in [131] has 
produces a similar distribution of design errors in selected academic 
projects. The statistics gathered are reported in four broad categories. Table 
12. The first two classes of errors in the study correspond to the 
control/datapath partition. Unlike work presented in [26], the main 
verification engine used in [131] was based on formal methods. That fact is 
reflected among others, by having some error classes typical to formal 
verification; see two last entries in Table 13. More detailed investigation of 
all cases in [131] reveals that the large majority of all errors are the wire, 
gate and the module replacements. We note that the design process in [131] 
omits design for testability. However, features like scan, Built-in SelfTest, 
etc., are often a significant source of errors, as we illustrate next. 
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Error Category i 


Freauencv Rangel%l 


Incorrect Control Logic i 


52-88 


Wrong connections 


5-27 


Incorrect design for verification 


0-20 


Incorrect verification use 


9.8 



Table 13: Design Errors in University Designs Reported /« [ 1 3 1 ] 



3. EXPLICIT DESIGN ERROR MODELS 

As mentioned in Chapter 1, there is a variety of ways that the design 
faults are introduced to the netlist. Automated synthesis tool errors cannot be 
ruled out and are often hardest to detect. However, more frequent are errors 
caused by manual changes of the original netlist. For example, a common 
design-for-testability task of inserting a scan register (serial register with a 
capability of being loaded in parallel, and used to supply test vectors to 
various blocks in a circuit) requires some designer interaction. A typical 
error that a designer commits while inserting scan is that of reversing the 
order of the bus lines, as illustrated in Figure 46. 
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b) Faulty circuit - scan connected to bus in reverse order 
Figure 46: Reverse Connection of Scan Chain to Internal Circuit Bus 
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Error Type 
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Figure 47: Summary of Netlisi Design Errors 

According to error models proposed in [3], [8] and [25], common design 
errors are caused by problems either with interconnects (wires), or modules 
(gates). This observation leads to the following error classification: 





5. Design Error Models 



109 



Interconnect Errors: 
o Bus Errors: 

• Bus Order Error - (BOE) 

• Bus Source Error - (BSE) 

• Bus Driver Error - (BDE) 

• Bus Single Stuck Line - (SSL) 
o Wire Replacement Errors: 

• Extra Wire 

• Missing Wire 

• Incorrectly Placed Wire 

Gate and Module Substitution Errors (MSE): 

• Single Gate Replacement 

• Extra Inverter 

• Missing Inverter 

• Extra Gate 

• Missing Gate 

• Extra Gate (Complex) 

• Missing Gate (Complex) 

The first four classes of interconnect errors correspond to errors in 
ordering (BOE), driving (BSE, BDE) and a logic value (SSL) on a bus 
(defined as one or more signal wires). Module substitution errors are 
restricted only to problems with gates, and reflect problems like: erroneously 
substitution of a gate by another gate with the same number of inputs and 
outputs, missing/added inverter, and missing/added (complex) gate. Figure 
47 summarizes the major classes of design errors at the netlist level. 

Several further studies were conducted on design error models and their 
detection. Similar to manufacturing testing, there is a trend to coUapse 
further the design error classes in order to minimize the fault list. For 
example, in [8] and [29], authors independently came up with four classes of 
the design errors. In the former case, these error classes were: gate 
replacements, gate count, input count and wrong input. In the latter case, the 
four collapsed classes were: extra inverter, gate replacement, extra and 
missing wire. 
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3.1 Detecting Explicit Errors 

Early contributions to the detection of the explicit design errors were 
presented in [8] and [3], Several independent and unrelated approaches can 
be applied, ranging from using stuck-at-value fault detection, to fault model- 
specific vector generation, to Universal Test Set approach. 

3.1.1 Application of Stuck-at-value Vector Set 

Abadir et al. [3] were first to observe that the complete test set for single 
stuck-at faults detects all single gate replacement errors, when errors are 
restricted to gates: AND, OR, NAND and NOR. They considered a set of all 
netlist errors that can be detected by a complete test set for single s-a-v faults 
in a given circuit. They proved that any complete test set for single s-a-v 
faults not only identifies simple gate replacements, but also extra gates 
(simple case), missing gates (simple case), and extra wires. The same test set 
holds only partially for extra/missing gate (complex case), missing gate 
input, and incorrectly placed input wire. 

3.1.2 Detection of Gate Replacements 

Another approach relating single gate replacement errors (SGRE) to 
stuck-at faults was proposed in [8]. This method starts from generating an 
exclusive test set that uniquely distinguishes each gate from the others in the 
library. Then, a replacement model of each gate is constructed. This model, 
consisting of few gates, is functionally equivalent to the original gate. Its 
role is to provide the “infrastructure” for the set of single s-a-v faults which, 
when injected individually into the model can be detected only by the 
previously generated exclusive test set associated with the erroneous gate, 
Figure 48. Finally, the ATPG is called (possibly) several times per given 
SGRE in order to find at least one of the s-a-v faults superimposed on the 
gate model. The detection of at least one such s-a-v guarantees that each 
SGRE represented by the model will be found. Consequently, a gate 
replacement error is declared redundant if none of the s-a-v faults is found 
by the ATPG. 

Figure 48 shows an erroneous replacement of the correct gate OR2 with 
AND2, and a model representation of an error, together with all the single s- 
a-v faults associated with the model. The exclusive test set consists of 
vectors Vaii\. K,,,,// stands for the all-zero test vector, is the 

set of vectors with odd number of “l”s , while Vaii is the stimulus of all “l”s. 

The complete test sets for detecting ANDl and all the imposed s-a-v 
faults in Figure 48 are presented in Table 14. Entry "e^' is the fault free 
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behavior of the model, while the entries to the right of “ey describe the 
behavior ofthe model subjected to the injected single s-a-v faults. 




Figure 48: Module for Detecting a Replacement Error with ANDl 



S-a-v faults in the replacement model tackled by APTG bear no relation 
to the possible single s-a-v faults of the circuit, which are targeted during the 
manufacturing testing process. Hence the results of verification for SGREs 
cannot be reused in testing for single s-a-v faults, and vice versa. Also, 
detection of iiredundant SGREs requires, on average, multiple passes of 
ATPG. In the case of redundant SGREs, however, multiple runs of ATPG 
are guaranteed. 
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Table 14: Vectors Delecting Errors in Figure 48 



3.1.3 Universal Test Set Approach 

Starting from early contributions to the detection of explicit design errors 
presented in [3], there has been a strong interest in deriving a test set based 
on a notion of the Universal Test Set (UTS). The UTS concept traditionally 
refers to a vector set that detects a well-defined class of faults. In [3], authors 
used the known property of an existence of the UTS for unare functions 
representing the faults. As a reminder, an n-variable function is unate in all 
the variables if it is monotonous in each variable, i.e., if either 

Abadir et al. proved that the complete test set for stuck-at-value faults could 
detect any gate substitution to/from a unate gate. 
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In [29], authors constructed an elaborate scheme to detect single gate and 
wire replacement errors in unate functions. First, they applied the result from 
[3] which use complete sets for stuck-at-value faults for a subset of design 
errors. Their method based on UTS guarantees the detection of errors such 
as an extra/missing inverter, a single gate replacement and a missing wire in 
unate circuits. The only condition imposed here, is that UTS must be able to 
detect all single s-a-v faults as well. However, in the case of redundant s-a-v 
faults, than this method is no longer valid. 



4. IMPLICIT ERROR MODEL PRECURSORS 

In verification by error modeling, a set of test vectors is required to check 
that a circuit contains no error from the considered model. So far we have 
described the attempts to specify explicit fault modeling of design errors. 
Now we discuss an alternative solution, i.e., an implicit fault model. 

The major difference between explicit and implicit fault models lies in 
the fact that in the latter case faults do not have to be injected into the netlist 
during the verification by simulations. In fact, the original netlist is not 
altered at all by errors for the purpose of test simulations, which is always 
the case in the explicit error model testing (for example detection of s-a-v’s). 
Therefore, when implicit error modeling is used, knowledge of a circuit 
structure is not needed. The circuit under verification can be treated as a 
black box, where a description of a design error is obtained by comparing 
responses of an erroneous circuit with those of its (correct) specification. 

Definition 11: A black-box verification does not require any knowledge of a 
circuit structure and implementation, as it is performed through design 
interfaces without accessing directly any of internal states. 

Black-box techniques, although useful in testing, are not helpful when it 
comes to error diagnostics, where the structure of the circuit is needed for 
the error location and eventual correction. Could we classify verification 
under explicit error model as a while box technique, in which we know the 
circuit structure and can easily access each of its elements? The answer is 
no. In order for verification to be white-box, we must have a full visibility 
and controllability of the circuit structure. It is true that, while performing 
circuit verification under the assumption of an explicit error model, the 
structure of the circuit is known; however, upon error detection it is still 
impossible to know neither the exact error type nor its location. Therefore, 
explicit fault modeling is by no means more helpful in error diagnostics than 
the implicit model. Let the manufacturing testing for s-a-v faults serve as an 
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example. Here, although errors are modeled explicitly, we still need 
diagnostics techniques to locate the error in the circuit upon its detection. 

4.1 Rationale for Implicit Models 

There is some raison d’^ for implicit error modeling. However, before 
we unveil our reasoning, we want to stress that both modeling approaches 
have their weak and strong points. The work on modeling, detecting and 
correcting errors on the netlist level is not completed; in fact, there are still 
many issues to be resolved. However, we believe, that at this stage, there is 
better perspective ahead for implicit error modeling, and in the remaining 
part of this section we defend our stand. 

First, comprehensive explicit fault models are not standardized so far. 
Even if it there is an explicit fault model in widespread use, it might not be 
too practical due to the size of a fault list required. In multimillion-gate 
circuits, it may be prohibitive to examine all explicit gate and wire 
replacements. Therefore, new techniques that scale well with circuit size are 
needed to describe design errors. 

Furthermore, explicit errors are “highly specialized”. The scope of 
defects they can model is very narrow, leading to the inability of describing 
a wider range of different design failures. For example, s-a-v’s represent 
manufacturing defects, and can be used at most to model some gate 
replacement errors. Anything beyond that seems to be highly impractical. 

It is practically impossible to draw any universal relations between 
explicit error models and properties of test vectors. Stuck-at faults can serve 
here as a good example. It is a well-known fact, that in the case of the 
majority of circuits, s-a-v faults are random testable, i.e., significant 
percentage of aU the faults can be detected by random (pseudo-random) 
vectors. However, there are circuits, which do not have the properties of 
being random testable. For such circuits, more elaborated test patterns have 
to be developed. In fact, we cannot assign the property of random (or any 
other) testability to s-a-v’s, as this is more of the circuit structure than fault 
model dependent feature. 

Tlie situation is positively different in the case of implicit error models. 
Here, test vector sets are an inherent part of modeling errors implicitly. Such 
test patterns are generally more elaborated than simple random stimuli, 
however, they are circuit-independent, and work well with all kinds of 
designs as long as they are applied to the same implicit fault model. 

Further, as will be apparent later, there is a substantial number of 
redundant faults among explicit errors such as gate and wire replacements. 
Their existence severely degrades the speed of verification, as many 
simulation cycles are wasted while attempting to detect the errors that 
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actually do not change the original functionality of a circuit, and hence are 
undetectable by simulations. Methods for redundant error identification are 
generally very elaborated, and are also not as scalable and parallelizable as 
simulations are. 

The notion of redundancies is not familiar to implicit faults. Therefore, 
no simulation cycles are wasted on detecting redundant error. Furthermore, 
there is no need for elaborated methods of removing redundant errors from 
fault lists (simulations alone cannot help in identifying them). 

4.2 Related Work - Error Models 

Design fault models are intended to capture in a relatively concise way 
all errors at various levels of design abstraction. There is an increased 
interest in a well-defined design fault model that is as abstract and generic as 
possible. In literature, the applicable concepts are those ofUniversal Test Set 
(UTS), or of new fault models. The UTS concept was already brought in 
Section 3.1.3, and will be further elaborated in the coming chapters. We next 
elaborate one such design fault model. 

4.2.1 Port Fault Models 

Among the fault models that abstract away details of the implementation, 
and are intended for verification purposes, we notice the Input Pattern Fault 
Model (IPFM) [15] and Port Order Fault Model (POFM) [129], [135]. Both 
models belong to pin-fault models [4], which assume that the block 
components are correct, but their interconnection might not be. 

The IPFM fault model attempts to be sufficient for complete and partial 
functional verification of circuit blocks, independent of the design 
abstraction level. The POFM model was created for verification of 
Intellectual Property (IP) blocks. Both models try to restrict the faults to the 
block ports (inputs or outputs). More recent work on implicit modeling of 
faults was presented in [112], where such a model was constructed to 
represent errors for designs at RTL level. High correlation was shown 
between their models and actual netlist-level faults. 

We now consider in more detail POFM and its pattern generation. POFM 
consists of three subtypes of faults: 

• Type-I: at least one input has the pin replaced with output 

• Type-II: at least two inputs are interchanged 

• Type-III: at least two outputs are interchanged 
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The model includes more than a single interchange of only two pins. In 
fact, an arbitrary permutation of inputs and outputs belongs to the model. 
Hence, the number of faults (fault list size) quickly becomes prohibitively 
large, i.e., 0(«!). The critical step in using an implicit model is the avoidance 
of explicit fault lists in providing the test pattern generation. Instead, the 
properties ofthe faults are used to derive provably test patterns. 

In [135] the authors observe that by concentrating on vectors with fixed 
number of ones, i.e., on a single Boolean lattice layer, the detection of 
POFM errors becomes possible. 

Theorem 3:A single lattice layer of vectors, other than the top or a bottom 
layer, can activate all POFM faults. 



The proof of this observation is based on the fact that at a given lattice 
layer m, aU permutations oim ones are present Hence, any such permutation 
of ports can be activated. Then, for n-port functions, the test vector size is 

equal to 1 = 0(«'”) , i.e., the number of vectors inm'* lattice layer. 
mj 



Activating the fault does not suffice to actually detect it. Further 
refinements to the test vector set apply dominance properties based on the 
following property. 



Theorem 4: For vectors in m'^ lattice layer, if one fault can he detected, then 
m!{n-m)! faults can he detected as well. 



This property is again explained by noticing that aU the permutations of m 
ones are present in the test set. To detect an arbitrary fault, results are 
obtained by simulating given lattice layers. The coverage rate is recorded, 
and the simulation of another lattice layer commences if the coverage is not 
sufficiently high. The authors further rely on the existence of IEEE P15(X) 
test interface standard to verify arbitrary interconnection of IP cores. 



5. ADDITIVE IMPLICIT ERROR MODEL 

In cases of an unknown fault list, a circuit can be treated as a black box, 
where a description of a design error is obtained by comparing responses of 
an erroneous circuit with those of its (correct) specification. When circuits 
are regarded as black boxes, errors can be modeled only implicitly. Although 
there are many ways to treat implicit errors, in this book we approach them 
through additive implicit error model, which is given by Arithmetic 
Transform of a difference between the correct and faulty circuits. We next 
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derive efficient fault detection methods for errors whose Arithmetic 
Transform is of bounded size. 

Since a fault is treated as a quantity added to the circuit output, Figure 
49, the behavior / of the faulty circuit is represented as a sum ofthe correct 
output and the error function e, i.e., /'= / +^. As AT is linear, the relation: 

ATCn = ATU' + e) = Anf)^me) 

is satisfied. The “size” of the error is measured in terms of the number of 
nonzero spectral coefficients in AT of the error e, i.e., AJ\e). 




Figure 49: Error as Addition to Correct Circuit 

Although AT{e) for each error can be obtained by simulating the faulty 
and correct circuits and subtracting their outputs, we emphasize that our 
verification scheme and the analysis to follow do not require the complete 
explicit identification of an error. It is rather sufficient to derive the spectral 
conditions for detecting faults belonging to the class of small spectrum 
errors, and relate them to the explicit models from Section 3. 

The motivation for our implicit error model lies in analogy to 
communication system theory. The large classes of physical communication 
errors are modeled as an erroneous signal (noise) superimposed on the 
otherwise correct message. Noise sources can come from the imprecise 
algorithmic solution, be a result of the noise in an electronic part, or can be 
an effect ofthe interference to the transmitted signal. All ofthe above cases 
are hard to model. Therefore, instead of trying to identify the exact cause of 
an error, the effort is oriented towards eliminating an effect of an error from 
the transmitted signal. Hence, the requirement of an explicit error modeling 
is secondary to the need of representing an error in a way that makes it 
possible to extract it from the faulty signal, and to correct the overall 
problem. Implicit error modeling is in this case the preferable solution. 
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We notice that the approach analogous to the explicit fault models could 
be also applied in communications. For example, communication system 
designers could model an effect of erroneous channel on the transmitted 
signal by assuming a bit in the message stuck at zero, one, or various 
constellations of a set of incorrect signal words. Note that the complexity of 
dealing with such assumptions soon becomes prohibitive with the lengthy 
messages. 

5.1 Arithmetic Transform of Basic Design Errors 

An implicit error model proposed in this book is based on considering 
netlist errors in spectral domain, and, in consequence, regarding them in 
terms of AT polynomials. Arithmetic Transform, due to its properties such 
as linearity, is a good choice. Besides error modeling, it will facilitate 
identification and then removal of an error, similar to the function of error 
correcting codes in communication chaimels. 

In the previous section we introduces basic error types commonly found 
in netlists. These are: Bus Order Error (BOE), Bus Source Error (BSE), 
Bus Driver Error (BDE), Single Wire Error, Bus Single Stuck Line (SSL), 
and module replacements: Gate and Module Substitution Error (MSE). As 
we show next, AT spectra of such design errors are compact when 
considered in isolation. 

Bus Order Error (BOE) : This group includes a common design error of 
incorrectly ordering bits in a bus. 




a) Correct circuit 




b) Faulty circuit - bus tines x, and X; interchanged 
Figure 50: Bus Order Error 
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For example, if signals Xi and x* of the bus x, x = i|>X|...x„.| have been 
interchanged, the transform of this bus considered in isolation is: 



n-l 



I (x.*2') + x, *2*+x,*2^-x-,*2^. 

/=0 ' k k I I 



If AT of the correct transform was AT(f), then the transform of the faulty 
bus is: 



AT{f) = ^T{f)+x^*2' -x^*2'' 

The error polynomial has four nonzero spectral coefficients. In general, any 
permutation of signals of an n-bit bus will have the error transform with at 
most 2n spectral coefficients. 

This class of errors is very common to digital designs, are hard to trace, 
and unfortunately can often pass undetected. In particular, BOEs are 
committed while introducing any changes (both manually and automatically) 
to the original design. For example, when design-for-testability features like 
scan are added to the existing circuit, scan cells are often being wrongly 
connected to the original circuit elements. This error is then relatively hard 
to detect. Other examples include rewiring in the process of design 
minimization. 

Bus Source Error (BSE) : This class represents errors that cause the 
replacement of the intended source Xt with the erroneous source r*. 
Arithmetic Transform of the error is AT\e) = r* * 2*-Xi * 2*. 




Original design Erroneous design 

Adder i$ a source Bus B Circuit E1 is a source Bus B 



Figure 51: Source of Bus B Replaced by Erroneous One 

Bus Driver Error (BDE) : These errors correspond to a bus being driven 
by two sources. They are dependent on the implementation technology. For 
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example, if a bus line is realizing a "wired-OR”, then by connecting the 
additional source r* to the line Xk, the resulting signal is v /•*. Using integer 
arithmetic, the logical OR is obtained as x* v r* = x* + - Xj- * r*. This 

identity leads to the following Arithmetic Transform of the additive error 




a) Correct circuit: tri-state buffers b) Error circuit: tri-state buffers 

enabled by mutually exclusive enabled by the same controller - 

control cases Talking to bus simultaneously 



Figure 52: Bus Drive Error 

An example of a BDE is presented in Figure 52. We observe that the 
outputs of circuits B1 and B2 are connected to the bus through tri-state 
buffers. Although they are both driving the same bus line, the control signals 
to tri-state buffers are driven by mutually exclusive conditions generated by 
controllers Cirll and Cirll. Therefore, it is not possible that the bus will be 
driven simultaneously by B1 and B2. However, if the control lines are 
erroneously driven by the same controller Ctrl, then the bus will have more 
than one active source at a time, leading to a BDE. 




Original design Erroneous design 

Wires Xq and y, switched 



Figure 53: Incorrect Wire Connection 
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Single Wire Errors (Extra, Missing and Incorrect Wire Connection) 
: These errors can be viewed as bus errors such as BOE and BDE. The 
difference lays in the bigger granularity of this class of errors. They affect a 
single pair of wires that is not necessarily a part of a bus. An example of 
Arithmetic Transform of such errors is derived here in the case of bus errors. 
For example, the transform of an n-bit adder x + y with two input pins Xo and 
y\ interchanged, Figure 53, has two erroneous AT coefficients. 



+ ^ -*^0 - + T ) + (^0 - >'|)- 

/=0 

Bus Single Stuck Line (SSL) : The error in which an n-bit bus is stuck 
at a constant value (0 or 1) is represented as an additive error for which 
Arithmetic Transform has 0(n) nonzero spectral coefficients. For the SSL 
with a bus stuck at zero, the faulty function transform is: 

i =0 i '=0 

ii-l 

Hence the error transform is equal to /17’(e) = -^x**2*. In the case of a 

r=o 

bus stuck-at-1, the error transform has n-i-1 nonzero coefficients; 

t Ir 

AT{e)= ^(2'‘ -X* *2*^). Any combination of the SSL errors would 
k=0 

have the error transform that is linear in the number of lines that are stuck. 
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a) Bus stuck-at-0 
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b) Bus stuck-at-1 



Figure 54:Bus Stuck-at-Q and Stuck-at - 1 

Single Stuck-At Faults (S-A-V): Single stuck-at faults are directly used 
in manufacturing testing of integrated circuits. The effects of these faults 
cannot, in general, be described by a single formula. Error spectra can be 
found experimentally. For example, the distribution of spectra of all single 
stuck-at faults in a 4x4 Carry Save Adder (CSA) multiplier is shown in 
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Figure 56. The jr-axis corresponds to the faulty node; nodes are ordered in 
the reverse topological order. 




Figure 55: Example ofS-A-0 Fault 



spectra Size 





Faults 



Figure 56: Spectrum Size Distribution of Stuck-at Faults in 4x4 Multiplier. 

This figure indicates that a number of faults result in a substantial error 
spectrum. However, regardless of the spectra siie of stuck-at faults, we 
demonstrate through experiments that these faults are easily detectable by 
the vector sets for small spectral errors. 

Module Substitution Error (MSE):: A module is substituted by another 
module of different functionality, but with the same number of inputs and 
outputs. Figure 57. Depending on the replacement circuits and their position 
in a logic network, various transforms can be obtained. In fact, module 
replacement errors constitute the broadest class of all design errors, and 
therefore, with the small exceptions discussed next, can be modeled only 
implicitly. Consequently, the most commonly used techniques for their 
verification are formal ones. 
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a) Correct circuit 



b) Erorteous circuit: 
adder replaced with 
circuit cl 



Figure 57: Module Substitution Error 



Gate Replacements as Special Case of MSE: Module substitution errors 
constitute large class of design faults. However, on the netlist level, module 
replacements reduce to the substitution of a correct gate with a gate of 
different functionality. Hence, gate replacement errors play an important role 
in gate-level verification, and we will have a closer look at them in many 
parts of this book. 

The most basic gate replacement error is when the original gate is 
substituted by the erroneous gate of the same number of inputs and outputs. 




Original Node N1 0R3 replaced with AND3 at Node N1 



Figure 58: Gate Replacement Error: Original Gate Replaced with 
Erroneous Gate 

Consider a gate replacement error from Figure 58. AT of the error 
function at node / is: AT(AND3)-AT(OR3). After substituting AT(AND3) = 
ahc, and AJ\OR3) = a+h+c-ah-ac-hc+ahc, we obtain AJ\e) = -a-h- 
c+ah+ac+hc. 

The same approach is extended to errors by which gates are added or 
removed from the netlist. Figure 59. Here, it is sufficient to calculate AT of 
the correct and faulty function, and to subtract the two. In the first case. 
Figure 59. a), the correct function OR3 is represented by AT(OR3) = a+h+c- 
ah-ac-hc+ahc, the erroneous replacement AND20R2 is represented as 
AI\AND20R2) = a+bc-ahc, and the error is dr(£) = h+c-ah-ac-2hc-2ahc. In 
the case of a missing gate. Figure 59. b), the correct function is represented as 
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AT{OR2AND2) = ab+ac-ahc, the faulty AT is AT{AND3) = ahc and AT\e) = 
ah+ac-2abc. Finally, for missing/added inverter. Figure 59.c), AT{e) - 
AT{a')-AT{d) =\-a-a= \-2a. 



a) 




OnginaiNode N1 



AND2 Added to Inputs ol OR at Node N1 





0>gmafNode N1 




0R2 Missing at Inputs to AND at Node N1 



OriginalUnex — Added Inverter at Line x 




Missing Inverter at Line X - Original Line x witi Inverter 

Figure 59: Gate Replacement Errors: Missing and Added Gate 



6. DESIGN ERROR DETECTION AND 
CORRECTION 

Integrated circuits with some manufacturing defects are rarely corrected. 
In practice, they are mostly discarded, unless subjected to a fault-tolerance 
scheme. Therefore, diagnosis methods for exact error identification are 
seldom used in terms of manufacturing testing of a single chip. They are 
rather applied to multi-chip designs with the aim of identifying a faulty 
block (one of the chips). The situation is completely different when it comes 
to netlist verification. It is no more sufficient to merely detect the presence 
of a fault in a verified circuit. The fault must be located and corrected before 
a design reaches the production stage. Otherwise, an undetected fault will be 
duplicated in all manufactured circuits. 

Fault detection and its further correction are hence important components 
of netlist verification through simulations. So far we have mainly considered 
various techniques for fault detection. We now present the main techniques 
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for Design Error Detection and Correction (DEDC). Approaches discussed 
here are used to locate design errors that are introduced either by manual 
interventions, design revisions or even by tool errors. While DEDC can also 
be based either on formal methods, we deal here only with the simulation- 
based schemes. We notice that formal methods might still be valuable in 
DEDC, because simulation-based DEDC is only as comprehensive as the 
test vectors applied. 

Similar to diagnosing of manufacturing faults, results obtained from fault 
simulations are also used for error location. Naturally, the two approaches 
differ, as corresponding fault models do. Manufacturing testing deals among 
others with s-a-v, bridging and delay faults, while netlist verification 
operates on erroneous gate and wire replacements introduced in Section 2. 

In DEDC, the diagnosis step is only the first part of the overall 
procedure. The second component of DEDC is a correction, done by 
undertaking the following set of replacements. For a suspected error 
location, all possible errors belonging to the model (e.g. gate and wire faults) 
are tried and compared to the faulty behavior. Finally, if the implementation 
becomes correct after introducing a fault, the design correction has been 
achieved. We then say that the design modification that cancels out the 
faulty behavior has been undertaken. 

The simplest underlying assumption is that the implementation is single- 
fix correctable, i.e., that the modification of a single signal re-creates the 
correct implementation. In many cases, this might not be true, and then the 
algorithms for design correction have to deal with multiple node corrections. 

To deal with any diagnosis or error correction, we consider only those 
parts of a circuit that carry information relevant to the error cause and 
location. The first step is to divide a set of circuit responses to a given test 
vector into two subsets: correct outputs and incorrect outputs. Only the latter 
are of use in the detection part of the DEDC. We can “zoom in” even further 
on the causeAocation of the fault in a circuit by considering the fanin cones, 
defined as the union of all signals in the fanin of a given primary output. 
Signals that are outside the intersection of all the incorrect output fanin 
cones are clearly not responsible for the fault. Hence, all such signals can be 
safely ignored in a search for the fault site. 

Example 37: Figure 60 illustrates the ca.se where two outputs differ for a 
given test vector. Thefanin cone intersections are obtained by the backward 
circuit traversal from incorrect outputs. Only the .signals contained in both 
cones can be the sites of a single error causing the two faulty outputs. 
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Figure 60: Diagnosis by Cone Intersection 

In practice, the set of candidate fault sites has to be further minimized by 
various reductions, either exact or heuristic. This is especially true for 
multiple-site faults, referred to as /t-signal errors In particular, if a set of 
signals does not fan out to all faulty sites, then this set is not a source of the 
fe-signal error. 

6.1 Path Trace Procedure 

Several practical realizations of DEDC exist, including [3], [132] and 
[98], The simplest solution would be the extension of diagnosis methods 
used in manufacturing testing for s-a-v faults to wider classes of design 
errors. However, the abundance of possible design faults leads to inherent 
combinatorial explosion in diagnosing, i.e., pinpointing the location of an 
error. In consequence, simple methods based on covering a fault dictionary 
table, as in Chapter 4, Section 5.3 are impractical in netlist diagnosis. 

In order to overcome this problem, selected errors are sampled and 
search is performed implicitly in [132]. Possible error lines are enumerated 
implicitly by path-trace procedure that starts from the faulty output and 
marks a random selection of controlling lines in the backward traversal. The 
overall diagnosis scheme is then based on the observation that the 
simulations of vectors that propagate the fault to various outputs are going to 
leave a non-empty intersection of marked lines [132]. This intersection is 
then the source of an error. 

For the case of multiple faults, the same observation is not valid. In that 
case, error tracing by line marking is replaced by the concept of a graph 
intersection. Such a graph encodes relahons between observed output 
mismatches to possible faults, and is being updated on every simulation run 
that detects a fault. Naturally, graphs can soon grow out of proportions, and 
therefore some methods of their minimizations must be applied. For 
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example, the graph size can be reduced by finding equivalent nodes, i.e., 
cliques in the graph [54], Again, all faults can be implicitly enumerated by 
such a graph, and the same random sampling procedure provides guarantees 
that all faults will be represented. 

The design correction is the second step of the overall procedure in 
which aU the suspicious lines marked in the first part are locally changed by 
inserting faults from the fault models, such as gate and wire replacements. 
Then, simulations suffice to confirm whether the replacement corrects the 
error. 

6.2 Back'propagation 

Another approach to DEDC has been proposed by Kuehlmann et al. in 
[79]. Similar to critical path tracing, the back-propagation approach is based 
on identifying a suspect region of a circuit by tracing an error from a faulty 
output, towards primary inputs. The algorithm is executed in two loops. The 
outer loop iterates through faulty vectors, while the inner loop considers one 
faulty output at a time. Every iteration generates a list of suspect signals by a 
recursive backward propagation procedure. The overall decision is 
composed as an intersection of suspect signals obtained in each iteration. 

The back-propagation routine is the most sophisticated part of the 
algorithm. This procedure inputs a given signal, decides which fanins to 
examine, and marks the nodes according to a well-developed set of local 
rules at a given node in the network. 

For simple gates, such as AND, OR and NOT, local rules quickly identify 
a backwards propagation direction by selecting the controlling (e.g., 0 for 
AND) fanins, except if all the signals to a given gate are non-controlling. 
More complex gates are then expressed in terms of the simple gates, and the 
same rules are applied. 

For multiple errors, the back-propagation algorithm builds a dynamic 
estimate of an error probability of a suspected signal. This probability 
estimate is then used to guide the search towards the most likely multiple 
faults. A natural improvement to the probability estimation is to use a more 
detailed observability measure, analogous to ODC calculation in Chapter 3. 
Similar to the back-propagation rules, the observability is treating 
controlling and non-controlling signals. The observability measure is split 
evenly among aU controlling values at a gate, and then it proceeding 
recursively in the backwards propagation. 




5. Design Error Models 



127 



6.3 Boolean Difference Approximation by Simulations 

Detection and correction of errors in macro-based circuits is yet another 
important aspect of netlist verification. Although designs are rarely 
constructed entirely from macro-blocks, they often are parts of larger 
systems. First of all, verification of macro-blocks requires a redefinition of 
an error. Due to inaccessibility of the hardware structure of macro-blocks, 
errors are perceived in terms of ill-functioning of complete blocks or block 
interconnections, instead of more refined models of erroneous gate or wire 
replacements inside macro-blocks Therefore error diagnosis amounts to 
pinpointing which macro-block is defective. This is nothing unusual, as 
manufacturing diagnosis is also most often called to determine, which chip 
in a multi-chip (board) design is defective and subject to replacement. 

Pomeranz et al. addressed in [98] an issue of error correction in circuits 
composed entirely from macro-blocks. The method performed a diagnosis 
under the assumption that a complete test set detecting all netlist errors in 
macro-block is given. The authors proposed practical filters for locating the 
fault sites based on the fact that if a vector cannot sensitize the mismatch of 
the signal s at an output, then the erroneous response will not be corrected by 
changing the function of s. In other words, if the vector is not included in the 
Boolean difference of an output with respect to the signal under 
consideration, the signal is not responsible for the fault. Significant novelty 
is that the filtering of signals with respect to the Boolean difference is 
achieved by simulating the fanout cone of the signal, rather than by 
computing the Boolean difference explicitly. The fanout cone in this case is 
the set of downstream signals from a given node. 

Example 38: Boolean difference exploration by simulation is performed by a 
step simulating the effect of inverting a variable in a netlist. For two-input 
AND gate in Figure 61, input variable x\ is inverted. If at least a single 
primary output, say Oi, becomes inverted as a result of the simulation run, 
then the signal h is regarded as a candidate for correction. 




0 , 

°2 



Figure 61: Boolean Difference by Simulations 
The same approach has been extended to multiple-site error detection and 
correction . The single-error procedure is applied iteratively until the error is 
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corrected. Because of the combinatorial explosion in the search space, 
heuristic measures are used to guide the selections of suitable single-error 
fixes. Such heuristics aim to decrease the distance to the correct circuit 
implementation. The procedure is not guaranteed to complete and the circuit 
can still remain erroneous, but the good point of the algorithm is that the 
underlying simulation engine scales better than the formal approaches [98], 
The remainder of this book will focus on presenting and evaluating an 
implicit fault model in relation to the explicit design errors, such as gate and 
wire replacements. Our approach will be somewhat related to the DEDC 
scenario, however, we will provide provable guarantees on the design 
correction capabihties for our implicit fault model of smaU AT errors. 



7. CONCLUSIONS 

In this chapter we first reviewed the pertinent fault modehng of nethst 
errors. While there is an abundance of design errors documented by 
countless design teams, only a few published results on the classification of 
such errors exist. We analyzed some of most recent work in the area, and 
have pointed to the similarities and the differences in the approaches. 
Although, there are differences in techniques used to actually represent 
netlist errors, still predominant is the explicit way of modeling design errors. 

Due to the lack of standardization, error classification results depend on 
the pre-conceived notion of what an error is - discrepancies can be noticed in 
different publications. For example, some models include the specification 
errors as well as the errors encountered in setting up the formal verification 
schemes [131], Even larger divergence is caused by the difference in design 
methodologies. Design teams nowadays widely apply modem tools and 
coding practices, including "linting” that helps eliminate a large number of 
mistakes before even synthesizing and simulating a netlist. By identifying 
RTL issues like event ordering problems, race conditions, latch inferencing, 
and combination loop problems, many of the common design mistakes done 
in the past are now routinely avoided. 

Finally, we presented the concept and an instance of implicit error 
models based on the Arithmetic Transform. As the complexity of digital 
systems increases, increased abstraction in design error models are becoming 
more and more appealing. 




Chapter 6 

DESIGN VERIFICATION BY AT 

Using Implicit Fault Model 



In this chapter, we investigate methodology for simulation-based verification 
under a fault model. Since it is currently not feasible to describe a 
comprehensive explicit model of design errors, we propose an implicit fault 
model, which is based on the Arithmetic Transform (AT) spectral 
representation of faults. The verification of circuits under the assumption of 
small errors in spectral domain is then performed by the Universal Test Set 
(UTS) approach to test vector generation. The major result in this chapter 
shows that for errors whose AT has at most t nonzero coefficients, there exist 
the UTS lest vector set of size Consequently, verification confidence 

can be parameterized by the size of the error t, where at most 
verification vectors are simulated to prove the absence of a fault belonging to 
such an implicitly defined fault class. The experimental confirmation of the 
feasibility of the verification approach using this UTS method is presented, 
together with the relations between the Arithmetic and Walsh-Hadamard 
spectra. This will provide us with bounds the AT error spectrum, and show 
that a class of small error circuits has small error spectrum. The proposed 
approach has the advantage of compatibility with formal verification and 
testing methods. 



1. INTRODUCTION 

Modem microprocessors, embedded and signal processors, and 
communication integrated circuits utilize various arithmetic circuits in their 
datapaths. The implementations of such datapaths vary in area, delay and 
power constraints. Hence, a broad spectrum of hardware realizations can be 
found, from custom to those that are using the standard library elements. 
Their design, testing and verification pose a major challenge. 

Verification of arithmetic circuits has exposed the limits of early formal 
verification methods based on Decision Diagrams (DDs). The proposed 
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solutions initially used Reduced Ordered Binary Decision Diagrams 
(ROBDDs), with the hope of making the verification of arithmetic circuits 
more efficient. ROBDDs, indeed verify in polynomial time circuits like 
adders, however are of exponential si 2 e for multipliers [22]. Extensions to 
ROBDDs were proposed, among which most relevant to the arithmetic 
circuit representation are word-level diagrams, like Binary Moment 
Diagrams, *BMDs [23], The most inclusive class of such diagrams consists 
ofWord Level Decision Diagrams (WLDDs) [115]. However, the common 
limitation of any WLDDs is their inability to represent dividers in 
polynomial size. 

WLDDs have been used for equivalence checking - a procedure that 
verifies a function implementation against its specification. This approach is 
analogous to an exhaustive checking of a function for each input 
combination. However, a smaller number of tests could be performed. For 
example, if a bst of all possible design errors were known, one could, 
similarly to manufacturing testing, devise a set off^if vectors that target all 
these faults. Further, as we have shown in the previous chapter, some design 
errors can be related to s-a-v faults, and therefore, the effort in developing 
verification vectors for design errors could also be directed towards 
providing stimuli for manufacturing testing. All that is not possible to 
achieve by formal verifications alone [64], which are known not to scale 
well. 

In this chapter we present new results in simulation-based verification by 
error modeling. Existing design error models, described in previous chapter 
attempt to explicitly capture design failures at the gate level. However, 
explicit representations of design errors have their limitation. Chapter 5, 
Section 4. Since there is no established design error model yet, unlike that 
for manufacturing fault testing, we can consider an alternative, i.e., an 
implicit error model, in a scheme that provides a bridge between formal and 
simulation-based verifications. Traditional simulation-based verification 
methods can only assess the quality of test vectors by actual simulations 
under explicit fault models. Similarly, the quality of design verification 
under implicit error modeling can be assessed through simulations. 
However, here we have an alternative. In this chapter we resort to 
calculating theoretical bounds on the quality of simulation-based schemes 
using the characteristics ofthe faults, instead ofperforming simulations 

For representing errors and for test vector generation we use Arithmetic 
Transform (AT), which we introduced in Chapter 2. AT is exactly the 
underlying representation employed in WLDDs. We provide bounds on the 
size of the test vector set for errors whose AT representation is restricted in 
the size In addition, we present experiments demonstrating the verification 
of datapath circuits based on AT. To show how the proposed implicit 
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modeling of design errors relates to actual faults in netlists, we apply AT test 
vectors to detecting concrete gate-level design errors described in the 
previous chapter 

In this chapter we assume the combinational model of circuits under 
verification; and do not address the FSM verification. However, this and 
other combinational circuit verification procedures can tackle successfully 
some classes of sequential circuits, such as sequential datapaths. The key 
observation is that internal registers can, similarly to scan-based testing for 
manufacturing faults, serve as pseudo primary I/Os. Hence, values of 
registers within the circuit can be observed and set in any individual 
simulation run. 

Related to verification is the need to find a source of an error, such that it 
can be easily removed. Therefore, critical is not only fault detection, but also 
its diagnosis and correction. Formal verification methods based on 
equivalence checking are known to be of little assistance in diagnosis, 
leading to substantial difficulties in finding an error source once an 
implementation has been proven incorrect [64]. Similarly, most of the 
simulation-based verification schemes employ random test generation, 
which does not provide any diagnosis information. In our approach, we 
present the test vector generation that is provably sufficient for diagnosis and 
even error correction for the considered implicit design fault model. The 
error correction, which borrows solutions used in communication, is 
incomparable simpler than schemes described at the end of the previous 
chapter. 

There is yet another benefit of using AT as a way of modeling circuits 
and errors in simulation verification of netlists. Arithmetic Transform and its 
extensions not only provide a compact circuit and error representation at the 
gate level, but are also suitable for describing circuits at higher levels of 
abstraction. In fact, in [102] we proposed a method for formal verification of 
sequential and imprecise arithmetic circuits, which uses exactly AT for 
circuit description Providing common grounds for circuit representations 
acceptable in both formal and simulation-based methods is a very important 
step towards making compatible the two verification approaches. 
Traditionally different techniques are applied to circuit verification at 
various stages of a design flow. Often, the choice of a verification method is 
dictated by the most appealing way of modeling a design and errors at a 
considered level of abstraction. For example, due to the similarities among 
design and implementation errors in netlists, simulations are the most 
favorable choice of leading verification techniques at this level of circuit 
abstraction. The opposite can be said about verification of more abstract 
forms of circuit description. Difficulties in specifying compact fault models 
at higher level of circuit abstractions led to the adoption of formal 
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verifications as a first choice. It is now generally accepted that neither 
formal, nor simulation methods can alone successfully verify wide classes of 
circuits. Ideally these two approaches should he combined in a single 
verification flow. However, as they rely on vastly differing data structures, it 
is not simple to merge them. The simulation-based verification proposed in 
this chapter together with equivalence checking of sequential [102] and 
imprecise arithmetic circuits [107] address these problems, as Arithmetic 
Transform is the same representation used in formal verification of datapaths 
by word-level decision diagrams [23]. 



2. DETECTING SMALL AT ERRORS 

The implicit error model proposed in this chapter consists of all faults 
whose number of nonzero AT coefficients is smaller than some assumed 
value. In Chapter 5 we have shown that common design errors arc described 
by ATs with only few terms, i.e., “small" spectra. The size of a test vector 
set is related to the number of spectral coefficients of an error (spectral error 
size). If errors are small, then a test vector set detecting them is also small. In 
fact, as shown next, such a vector set is the Universal Diagnosis Set for 
errors parameterized by their AT size. 

2.1 Universal Test Set 

The notion of the Universal Test Set (UTS) was initiated by the need to 
derive a vector test set from a functional definition only. Practical 
apphcations of UTS take several forms. For example, UTS has been applied 
to testing for all possible faults in circuits whose implementation details are 
unknown [59], or for detecting all faults in a given technology, as CMOS 
[73]. Alternatively, UTS is used to detect all faults (usually stuck-at) in a 
specific class of circuit implementations, such as EXOR-Sum-of-Products 
[72]. In our context, UTS is perceived as a test set that detects a complete 
well-defined class of errors. We present UTS that targets a class of faults 
whose AT spectrum size is smaller than a given bound. 

The natural extension of the above concept is that to Universal Diagnosis 
Set (UDS), which we define as the vector set that, in addition to detecting, 
can also uniquely identify all faults from a particular class. In our case, 
vectors from UDS are applied to detect errors of bounded AT sizes. 
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2.2 AT-based Universal Diagnosis Set 

In Chapter 2 we have shown that AT of an arbitrary pseudo-Boolean 
function can be obtained by multiplying the function values by the transform 
matrix T„. Recall that the recursive form of AT transform matrix of order n 
is: 
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Forn = 3, the matrix Tj is: 



1 


0 


0 


0 


0 


0 


0 


0 


-1 


1 


0 


0 


0 


0 


0 


0 


-1 


0 


1 


0 


0 


0 


0 


0 


1 


0 


0 


1 


0 


0 


0 


0 


-1 


0 


0 


0 


1 


0 


0 


0 


1 


-1 


0 


0 


-1 


1 


0 


0 


1 


0 


-1 


0 


-1 


0 


1 


0 


-1 


1 


1 


-1 


1 


-1 


-1 


1 . 



( 1 ) 



(2) 



Each column of T,, corresponds to a combination of function inputs, i.e., 
to a test vector. Hence, obtaining a vector set amounts to choosing columns 
from T„. We seek a UDS set to reconstruct a function under the presence of 
an error by a minimal number of test vectors. 

In the proposed verification scenario, arithmetic spectrum is used as a 
specification. The AT polynomial of a given arithmetic operation is known, 
and depends on the data type used. The knowledge of the shape of a 
canonical representation (in our case a polynomial) is typically used in 
formal verification to check whether the circuit is correct. Contrary to this, 
we use the shape of error polynomials to verify the absence of an error by a 
minimum amount of vector simulations. 

To obtain UDS), we notice that the polynomial representing a function 
can be found by multiplying function outputs by the matrix T„. The structure 
of this matrix is identical to that of the RM error correcting code check 
matrix [111]. However, arithmetic is performed over real numbers (or their 
integer subset), rather than that over finite field GF2. Similar to the case of 
RM Transform [42], we show that the redundancy incorporated in the matrix 
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allows us to find a minimal test, diagnosis and correction vector set for the 
case of a bounded spectrum error. 

To find UDS, we use an auxiliary error check matrix Hr that consists of 
the rows of corresponding to the vectors in the top r + \ lattice layers. 
The matrix Hr has 2" columns, while the number of rows is equal to the 
number of points in the top r + 1 lattice layers. Lemma 11 in Appendix 1 
states that the matrix H, has at least 2'^'-l independent columns. We require 
this information to prove the error correcting capability of UDS. 

The following theorem is used to derive UDS for the case of errors of 
bounded spectrum. It shows that the top 0 (log 2 /) layers are needed to detect 
and correct an AT error polynomial of t terms. Recall from Chapter 2 that 
two bottom lattice layers (0 and 1) are sufficient to represent adders and 
multipliers by AT. 



Theorem 5: Consider an error superimposed to an n-variahle function. Any 
error whose AT has at most t spectral coefficients can be uniquely identified 



I log, (/+1) 1-1 
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by examining v= ^ ” points (vectors) in |”log 2 (/ + 1)"|— 1 upper 
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layers of the lattice. 

Proof: By selecting all the points from the upper plog 2 (^ + I)]— 1 lattice 



layers, we obtain the error check matrix of size vx2". To 

detect and correct any error polynomial with up to t terms, it is sufficient to 
check that each 2l rows of •Wp|gg^lf^.i)‘]_iare independent. By applying Lemma 

1 1 in Appendix I, we prove that the minimal number of independent rows is: 
2riog2<^+0]-l+l _ 1 > 2/. Therefore, any polynomial with up to t terms is 
uniquely identified. ■ 



Theorem 5 uses the properties of Arithmetic Transform that are identical 
to those of binary RM Transform. A theorem for detecting faults in the case 
of binary RM Transform can be found in [42] and [111]. While RM 
Transform is of exponential size even for adders, the corresponding AT is of 
polynomial size for adders and multipliers; hence, our result is more 
practical for verification of arithmetic circuits. Additionally, Theorem 5 
offers a generalization of results in [42] for functions with non-binary 
outputs and word-level arithmetic. Another result, this time for functions 
with non-binary inputs, has been provided in [43] using multiple-valued RM 
Transform and the finite field arithmetic. 

Theorem 5 gives an upper bound on the number of points that have to be 
simulated to detect and uniquely identify the class of t-term AT polynomial 
errors. Hence, an error superimposed on a correct circuit will be exactly 
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identified by a minimum number of test vectors. In actual circuits, faults that 
involve many more spectral coefficients will be detected, if the only goal is 
the error detection. 



3. BOUNDING ERROR BY WALSH TRANSFORM 

We now investigate how implicit errors given by their AT translate into 
explicit error circuits. In particular, we consider superimposed errors as 
classes of circuits, rather than polynomials. In practice, such erroneous 
additions to the circuit are likely to be "small”; otherwise they would easily 
be detected in a design process. A more formal definition of small circuits is 
hard to present due to many dependencies on the design implementation and 
gates used. For example, a circuit may have a compact Sum-of-Product 
implementation, while Product-of-Sums realization is of exponential size. 
The same is true with respect to gate implementation (e.g., OR vs. XOR). 

Often used in theory is the class of “constant depth circuits”, whose depth 
does not grow with the number of inputs [84]. Results in [84] show that 
Walsh-Hadamard (WHT) spectra of this class of circuits are small and 
concentrated in low order coefficients. In this section, we show that AT and 
a version of WHT spectra are in the direct proportional relation [106]. 
Hence, the original assumption of small AT error spectrum extends to small 
WHT spectrum. Consequently, considered errors can be represented as small 
circuits [84]. 

We start the comparison of two spectral representations by applying 
Equation (1) to construct AT of an arbitrary pseudo-Boolean function: 



Walsh-Hadamard Transform is recursively defined by the transform 
matrix: 
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The negation of rows (or columns) of matrix leads to the alternative 

orthogonal transform that belongs to the same family of Walsh transforms 
[66]. Such negation preserves the sums of absolute values of spectral 
coefficients and their squares (energy density spectrum). To facilitate the 
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comparison, we define a new matrix , which is generated by inverting 
half of the rows of the transform matrix : 
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We refer to this transform as negated Walxh Transform (nWT). For n = 3: 



Matrix 73 **' has the entries in rows 2, 3, 5 and 8 inverted. To derive a 
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relation between the nWT and arithmetic spectra, we compare T„ to . 
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For comparison purpose, we evaluate the difference between negated 
Walsh and Arithmetic Transforms, referred to as A„. For n = 3 we have: 



A^ = T*-Tf = 
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In general, the structure ofA„ is described by the following lemma. 
Lemma 2: The recursive form of matrix A„ is: 
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Proof(by induction): It is sufficient to prove that A^ + T^^ . 

Induction Base: For k = 3, we have just shown that A^ + = 7^ . 

Induction Step: Assume that the claim is true for n = k. Then, for fe + 1, the 
definition is: 
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3.1 Spectrum Comparison 



Using the recursively defined difference between a negated version of 
Walsh-Hadamard and Arithmetic Transforms, we now compare the sums of 

the spectral coefficients, Sj-o W 

calculated as: 
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By changing the order of summation, the inner sum is obtained by adding 
columns first: 

2"-l 2‘'-l { 2"-l "I 

5(r*) = Icf = I/, It;* 

1=0 /=fl U=0 / 

, 1 A'l' 

The same transformation is used for determining Ij_Q C,' , as well as 

sums and differences of the spectra: 

l''(cf^r) ond l“'(cf 

;=0 /=0 

Arithmetic and negated Walsh spectra are related by the following 
Theorem. 

Theorem 6: The sum S(T^) of all spectral coefficients of nWT obtained 
using T* is always 2“ times larger than the sum of all Arithmetic Transform 
coefficients. I 

The proof is presented in Appendix II, together with an auxiliary lemma 
characterizing matrices A„ and B„. Theorem 6 shows that there is a direct 
proportional relation between AT and nWT spectra sums. This result 
indicates that the sum of spectral coefficients of constant depth circuits 
remains bounded in AT domain. More specifically, an error circuit having a 
small WHT spectrum also has a small AT spectrum, and hence could be 
tested by our AT-based method using a small number of lattice layers. 

3.2 Spectrum Distribution and Partial Spectra 
Comparison 

In order to complete the spectrum comparison, it is important not only to 
know the total sums of spectral coefficients, but also their distribution. For 
example, in [84] authors present the characterization of small depth circuits 
by their concentration in low-order spectral coefficients of Walsh-Hadamard 
Transform. To investigate the distributions of two spectra, we relate their 
partial spectra, i.e., subsets of spectral coefficients. 

Relations similar to that in Theorem 6 can be proven for partial spectra of 
n-variable functions. We say that the upper half of the spectrum is obtained 
by restricting one variable (say Xo) to 1 and denote such partial spectra as 
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Sc'* 



and Y. 



.AT\ 



By considering the upper halves of spectral 



coefficients, and applying the same comparison as in Appendix II, we 
obtain; 






2”-l 






;= 2 "-' 



leading to: 




1x0 2 ' 



I -Vo 



Note that the multiplicative factor 2" ' is halved relative to the one used 
in the total spectra comparison. When the same restriction is applied to 
several input variables, this multiplicative factor reduces exponentially in the 
number of variables assigned. Extending the argument above easily proves 
the following theorem. 

Theorem 7: The upper part of the AT spectrum corresponding to the 
assignment of “i” variables to I is 2"‘‘ limes smaller than that of the nWT 
spectrum: 



Ycf 1 =2”-'X^r I ■ 

In the border case, i.e., when all variables are assigned to one, the last 
coefficient Cn , ,| is the same for both of these transforms, as can be verified 
by inspecting the transform matrices. 

These partial spectra comparisons show that the AT spectrum of a 
function has higher content of high-order coefficients, while the sum of all 
spectral coefficients is in direct proportional relation to that of nWT. In other 
words, functions that have small spectrum in AT domain also have small 
WHT spectrum that is more concentrated in low-order coefficients. This 
property is characteristic for constant depth functions. 




140 



Chapter 6 



3.3 Absolute Value Comparison 

While the previous two theorems relate the sums of spectral coefficients, 
the evaluation of absolute values, and/or the squares of coefficients (energy 
spectra) would also be instructive in comparison of the AT and WHT 
spectra. Moreover, the comparison of the sum of absolute values of AT with 
nWT (Equation 4), naturally holds for WHT (Equation 3), as the absolute 
value sums ofWHT and nWT coefficients are equal. We first deal with a set 
of functions for which we can prove that such a sum is always smaller for 
AT than for WHT. Then, we extend the comparison to the sums of absolute 
spectrum values for all functions. 

We first consider absolute values of spectral coefficients for unate 
functions. 

Definition 12: A function is unale if for each variable “x", either fy. > fj 
or fy. ^ fx ■ Mtitty useful arithmetic circuits, such as adders and multipliers 
are unate for unsigned integer encoding, and have positive AT spectra. 

Theorem 8: The sum of absolute values of AT coefficients of unsigned 
integer arithmetic circuits is always .smaller than the corresponding .sum of 
Walsh-Hadamard coefficients. 

Proof: Unsigned integer arithmetic functions are unate at word level. Hence 
all AT spectral coefficients are positive. In that case, as: 
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1=0 



.AT 



the comparison extends to the sum of the absolute values of the spectral 
coefficients; 
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In genera], for functions that are not necessarily unate, it is not true that the 
sum of absolute values of AT spectra is smaller than that of WHT spectra. 
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Indeed, 
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1=0 



consider 
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the following 



AT 



counterexample 



where 



Example 39: Consider a 4-variahle Boolean function f f: B, given hy 

its truth table. The next two tables contain the .spectral coefficients of its AT 
and WHT. respectively: 
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There is a gap between bounds on sums of the spectra of these two 
transforms, as proven next. 

Lemma 3: The sums of absolute values of spectral coefficients are bounded 
for alt Boolean Junctions as: 

2”-1 . 

1) for WHT spectra 

i=0 

2"-l 

2) for AT spectra. 

i-O 

Proof: Tlie sum of absolute values of the spectra is obtained as; 
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The bounds are determined by calculating the number of nonzero entries in 
the two transform matrices. 

Case 1: All the entries have an absolute value of 1, and a bound of 4”. 

Case 2: The number of row entries with 2' ones is equal to the number of 
points in /'*’ lattice layer. Summing them all results in: 
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I I 

(=0 y=o 



AT 



*•= 1 ’ 






2 ^= 3 ", 



according to the binomial theorem. ■ 

Please note that Lemma 3 holds for all the functions, and not only the 
unate ones. Based on Theorem 6, Theorem 7, and Lemma 3, we conclude 
that there is a small polynomial (AT) error spectrum when the superimposed 
error circuit is small, such as for the small depth circuits. 



4. EXPERIMENTAL RESULTS 

We have presented so far a simulation-based verification method 
designed for detecting implicit errors represented by small AT polynomials. 
The implicit model of small AT errors represents a large number of explicit 
gate and wire errors:. It is sufficient to simulate a circuit using our UDSand 
vectors to detect and uniquely all such implicit errors. In practice, as 
simulations used for verification purpose are the bottleneck in the design 
process, considering the implicit error model, which is more compact than 
explicit one, can save many simulation cycles. 

Now we apply our UDS vectors to identifying explicit gate and wire 
replacement errors. These faults represent the basic design errors discussed 
in Chapter 5. While the quality of the implicit error detection could be 
evaluated theoretically, explicit faults are addressed through experiments. 
Stuck-at faults are also considered to illustrate the manufacturing fault 
testing capabilities of the AT verification approach proposed in this chapter. 
In addition, we want to demonstrate how our UDS, which is independent on 
the circuit structure, performs for the concrete faults, which depend on the 
circuit structure. This is why we consider several alternative 
implementations of the same circuits, such as adders, multipliers etc. 



Circuit 


Single s-a-v [%] 


Single gate replacement [%] 


2"^ 


3'“ 


<4 


AND 


OR 


XOR 


il 


86.9 


86.9 






66.7 




alu2 


91.1 


97.7 






96.6 




alu4 


90.1 


96.1 


98.9 


97.8 


98.2 


100 


9svmml 


49.9 








100 


74.0 


Cordic 




87.0 


98.0 


100 


98.0 


44.4 
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Circuit 


Single s-a-v [%] 


Single gate replacement [%] 
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my adder 


100 


100 


100 


97.6 


100 


100 








100 


100 












100 
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cml38a 


67.5 


77.5 
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too 






Decod 


76.7 


74.4 


100 






100 


f51m 














z4ml 


84.6 


^9 











Table 15: MCNC Benchmark Coverage with UTS (up to 4 Top Layers) 



The experimental setup consists of arithmetic and MCNC circuits 
synthesized into generic gate library - GTECH, provided by Synopsys 
synthesis tools. We used UC Berkeley SIS program as a platform on which 
we built fault simulation and our redundant fault identification. Table 15 
reports the coverage of single stuck-at faults and replacement faults with 
AND, OR and XOR gates for MCNC benchmarks. The first set of 
experiments was performed on the fault list with no removal of redundant 
faults. To present the effectiveness of our UDS vectors, we gradually 
increase the number of lattice layers used for stuck-at fault detection. All 
other experiments, presented next, use vectors from four lattice layers. The 
results reveal that four layers are sufficient for obtaining fault coverage over 
95% in most of typical arithmetic circuits and MCNC benchmarks. 

Experiments also illustrate the seriousness of the problem of redundant 
design faults. It appears that there are many more redundant single gate and 
wire replacement faults than in the case of single stuck-at faults. Hence, 
efficient methods for identifying such faults are crucial in obtaining a 
meaningful coverage. We have shown in [100] and [101] that the problem 
differs substantially from the case of stuck-at faults (e.g. [67]), and that the 
effective redundant fault identification can be obtained by combining several 
methods. To get meaningful coverage, we apply methods for identification 
of redundant faults, which we will describe in a great detail in the next 
chapter. 

The coverage of gate and wire replacement faults with four top layers is 
recorded in Table 16 and Table 17 for arithmetic and MCNC circuits, 
respectively. Experiments show that high fault coverage of explicit faults is 
obtained by using the small error spectmm assumption in UDS test pattern 
generation. 
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Circuit 


Size 


Gate [%] 


Wire [%] 


Look-ahead 


12 


96.7 


75.7 


Adder 


16 


96.8 


72,1 




24 


96.8 


79.7 




10 


95,1 


100 


ALU 


12 


94.7 


100 




9x5 


100 


100 


CLA 


11x6 


100 


1 

94.9 


Divider 


13x7 


100 


88.1 


Array 


9x5 


100 


100 


11x6 


100 


100 


Divider 


13x7 


100 


100 



Table 16: Coverage of Gale and fVire Replacement Errors in Arithmetic 

Circuits 



Circuit 


Gate r%l 


Wire r%l 


alu2 


96.2 


100 


alu4 


95.9 


100 


9svmm 


97.5 


100 


Cordic 


92.8 


100 


C499 


100 


96.2 


C432 


100 


100 


C17 


100 


100 


C1355 


100 


97.6 


Cl 908 


91.2 


90.4 


C6288 


100 


94.9 


C880 


97.6 


97.0 



Table / 7; Fault Coverage of Wire and Cate Replacement Errors in 
MCNC Benchmarks 
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4.1.1 Improvements - Neighborhood Subspace Points 



Although only up to four lattice layers (plus vector 11 ...1) were needed 
for good coverage, we considered the alternative schemes that use a subset 
of the considered lattice points. The UDS approach of generating test vectors 
was enhanced by a test set reduction scheme, in which the tests are still 
independent on the circuit implementation. We use additional information 
from the AT specification, rather than the circuit structure. 

While the original test vectors cover exhaustively four top lattice layers, 
we also considered covering exhaustively only the neighbor variables among 
these lattice layers. For example, in adders, each expression (a, + b,)2‘ of the 
adder AT specification joins together the neighbor variables in a polynomial 
term that is multiplied by the same constant 2'. Additionally, a carry out bit 
propagates from to (;'+ 1 )'^ stage. We then deem the neighboring inputs to 
be Oi, bi, a-i+\ and Figure 62, and insure that only such four bits are 
simulated exhaustively among the four top lattice layers. The results in [105] 
show that almost no coverage is sacrificed compared to original UDS. While 
testing with all the vectors belonging to the top four layers requires 0{n^) 
points, the subset that is exhaustive only for all the neighbor variable 
combinations contains only 0(n^) vectors. The savings are equivalent to 
using two layers less in the test set. 



a, b,a,„b 


r+-1 


010110. .0000 


...110101 


010110. .0001 
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010110001 0 


...110101 
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.. 110101 


010110. .1110 
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M0110...1 1 1 1 


...110101 






--- 


Window* c 



Vector of size n > 4 



Figure 62: Exhaustive Coverage of Vector Subspace of Size Four 
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5 . CONCLUSIONS 

We proposed a vector-based verification of datapath circuits using 
Arithmetic Transform and the concept of implicit error modeling. We have 
shown that this method can be applied to derive effective test sets for several 
classes of design errors, because of its inherent diagnosis and error 
correction capabilities. By employing AT, the simulation-based approach is 
compatible with commonly used formal verification representations. Further, 
our scheme can be combined with testing for manufacturing faults, leading 
to a reuse of design error verification vectors in detecting of manufacturing 
faults, and vice versa. Additionally, as the deep sub-micron faults might 
need a model that is closer to gate replacements than to stuck-at model [2], 
[32], dealing with gate and wire replacements might become a necessity in 
manufacturing fault testing. 

The compact circuit representations and the capability of relating the 
common errors to the bounds on the vector set size are achieved by using the 
arithmetic spectrum. This provides the confidence in restricting an 
otherwise exhaustive test set to its smaller subsets, without sacrificing the 
fault detection capability. The improvements to the basic concept include the 
use of the high-level information on the input variable dependences, through 
neighbor window variables. A good diagnostics method based on the 
spectral reconstruction could be also developed. 




Chapter 7 

IDENTIFYING REDUNDANT GATE AND WIRE 
REPLACEMENTS 



In simulation-based verification by an explicit error model, the fundamental 
problem is that simulations alone, unless exhaustive, cannot identify the ever- 
present redundant faults. This chapter considers redundant gate and wire 
replacement faults identification in verification of gate-level designs. 
Removing redundant faults from a fault list is critical to the quality and speed 
of verification sd^ii^. We present the exact identification of redundant gate 
and wire replacement faults, together with efficient approximations. While we 
rely on the satisfiability formulation of the problem, we propose the means to 
effectively use any single stuck-at-value redundancy identification in the 
approximate schemes, with varying detection accuracy. Critical to the latter is 
the novel appUcation of don't care approximations that identify many 
redundant faults and quickly point out those that can be detected by methods 
for stuck-at value faults. A lest generation scheme that uses the error- 
correcting properties of AT. discussed in Chapter 6 is incorporated into the 
overall verification procedure. 



1. INTRODUCTION 

In simulation-based verification of digital circuits by error model, a fault 
list is required to estimate a quality of a test set, and to provide a confidence 
in verification results. A large class of failures encountered in practice (e.g., 
[26] and [131]) consists of erroneous replacements of a gate or a wire in a 
network with another gate or wire, respectively, as detailed in Chapter 5. 

The early approach to representing design errors at the gate level 
considered failures, which were proven to be detectable by testing for single 
or multiple stuck-at-value (s-a-v) faults [8], It was shown that the 
substitutions with AM), OR, NAND and NOR gates could be tested by stuck- 
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at-value (s-a-v) methods, using the automatic test pattern generation 
(ATPG). 

As we illustrated in the last chapter, the major obstacle in applying 
simulation-based verification under the explicit fault model is that the 
coverage and the running time of testing procedures are seriously impaired 
by redundant faults. For example, fault coverage of a 13x7 array divider is 
only 75.5% if the redundant faults are not removed from the fault list [105], 
and 100% otherwise. Unless applied exhaustively, simulations alone cannot 
deal with that problem. Redundancy identification has been mainly 
considered in the context of stuck-at faults. The algorithms use either 
structure-based search [88] (including its quick approximations [67]), or rely 
on algebraic approaches, such as satisfiability (SAT) formulation and its 
extensions [80], [27]. In Chapter 5 the issue of redundancy identification in 
the context of implementation verification by test vectors was brought up. 
An ATPG-based scheme was applied to determine redundancies for a subset 
of gate replacements by multiple runs of s-a-v redundancy identification for 
each gate replacement fault. 




Approx, by 1 -Cube Distance 



Approx, by 1 -Minlerm Distanc'^'x 
CODC Subset ApproximationJ) , 



Figure 63: Relation Among Proposed Methods 

Redundant error identification is one of the hardest problems in testing, 
and it is very difficult to find a comprehensive, yet simple and elegant 
solution. Instead, in this chapter we suggest a comprehensive approach, 
which consists of several methods with varying accuracy in redundant fault 
identification. Figure 63. 

Some of our solutions rely directly on the fact that redundant errors in 
any circuit are caused by don’t care (DC) conditions. As we have illustrated 
in Chapter 3, the exact identification of don’t cares in even moderate size 
circuits is difficult. Therefore, in order to remove this obstacle, we use 
approximations in DC calculations. The least precise, but fastest is the 
solution that uses the approximation of observability don't care conditions 
(ODCs) by compatible ODCs (CODCs), Section 3. The circuit don’t cares 
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are used here to eliminate many redundant replacement faults, and also 
identify those faults that are either likely to be redundant or, otherwise, to be 
detected by standard s-a-v methods [8], Undetected faults are then treated by 
extending a single s-a-v redundancy identification. All methods dealing with 
DC calculations are approximate, and although they never give a false 
positive result, i.e., declare an irredundant fault as redundant, they may miss 
some of the redundant faults. 

In Section 4 we present an exact identification of gate replacement faults 
using an all-SAT formulation. In addition to identifying redundant wire 
replacements for the verification purposes, such information can be used to 
improve the process of circuit optimization. Our approach to redundant wire 
identification. Section 5, can be applied directly to such logic optimizations. 
In Section 6 we construct an exact identification of wire replacement faults, 
using an all-SAT formulation. Figure 63 relates the considered methods. A 
test generation scheme that uses the error-correcting properties of Arithmetic 
Transform (AT) is incorporated into the overall verification procedure. Our 
redundancy identification schemes are applied to providing high coverage 
for the test generation scheme based on AT decoding algorithms that can be 
parameterized by the size of the error. 



2. GATE REPLACEMENT FAULTS 

In this chapter, we say that a replacement faultis an erroneous 
substitution of either a gate or a wire. In addition to verification by error 
modeling [3], [25], these faults are present in deep sub-micron 

manufacturing [2], [31], [32] where a fault can cause a gate to function as a 
completely different gate. Replacement faults are affecting either single or 
multiple nodes. Gate replacements influence single nodes, while wire 
replacements change either single or multiple nodes. 

Definition 13: A single gate replacement error {SGRE): erroneously 
substitutes a single gate in the netlist with another functionally different gate 
of the same number of inputs and outputs. 

This definition also includes the missing/added inverter, as well as the 
extra gate added at the inputs of the original gate, as shown in Figure 64. 
These faults are simply subsumed to either fan-out or fan-in of an immediate 
neighboring node. 
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Figure 64: Errors in a Neilisi 

The gate replacements, unlike s-a-v faults, affect only the components, 
while the interconnect stays fault-free. Therefore, deterministic tools for test 
pattern generation and redundancy identification, which work well with the 
s-a-v fault models, cannot be straightforwardly applied to the detection and 
redundancy identification of the gate replacement errors. To solve the 
problem of incompatibility of tools and error models, we can construct the 
transformation of a gate replacement error into s-a-v fault domain, and then 
use standard testing tools for the s-a-v detection and redundant error 
identification. Instead, we can treat gate replacement errors as an 
independent problem, cuid look for some alternative ways of their detection. 
The former approach is summarized in Chapter 5, Section 3.1, the latter is 
the scheme proposed in this work, described in the remainder of this chapter. 

2.1 Redundant Replacement Faults 

A redundant replacement at a given node is a substitution that does not 
change the original function of the circuit. Redundant errors of any kind 
significantly deteriorate the performance of a testing scheme. By identifying 
them, we avoid costly simulations ofthese faults. 




7. Identifying redundant gate and wire replacements 



151 



There are 2^ —1 possible SGREs at an n-input node. To this set of 
single gate replacements, as special cases, belongs up to 2(« + 1) single s-a-v 
faults associated with the node. Unlike a s-a-v fault, which permanently ties 
a signal to either 0 or 1, the polarity of an error caused by a replacement fault 
depends on stimuli. To deal with such faults, we are forced to seek new 
redundant fault identification methods. 

2.1.1 Overview of the Proposed Approach 

In this chapter we present the methods that can handle all the possible 
gate replacements in a single pass without restrictions to particular gate 
types, unlike the method from [8]. We will identify the conditions that 
prohibit either the excitation of a single gate replacement error with the 
appropriate inputs, or the propagation of the erroneous result to the primary 
outputs. The redundant fault identification has been mostly considered in 
context of s-a-v faults. To benefit from the wealth of s-a-v methods, we 
propose a scheme that for many SGREs results in a s-a-v fault 
representation. In contrast to the method in [8], where a set of single s-a-v’s 
was needed to represent a single SGRE, we consider at most one such s-a-v 
fault per SGRE. Then, any standard s-a-v technique can detect all SGREs. 
Additionally, our method can identify in the process many SGREs that 
cannot be represented by single s-a-v faults. 

We will demonstrate this procedure [101] in the way analogous to the 
well-known s-a-v SAT formulation by Larrabee [82]. Structural s-a-v ATPG 
approaches can be applied as well. Further, an exact SAT formulation is 
presented in Section 4, together with the preprocessing steps for the 
algorithm speedup. 



3. REDUNDANCY DETECTION BY DON’T CARES 

Redundancies are caused by don’t care (E)C) conditions at nodes affected 
by faults. As we have shown in Chapter 3, Section 2, these are either 
observabihty DC (ODC) or controllability DC (CDC) conditions inhibiting 
the error detection. Our first redundant fault identification consists of two 
steps, both of which can be performed in varying degree of approximation. 
First, we use the don’t care information in the network to screen out most of 
the redundant faults. We always apply the approximate CODC construction, 
for performance reasons and because they allow us to deal with multiple 
node faults (as in wire replacements), as explained at the end of Chapter 3. 
The use of don’t care subsets guarantees that no irredundant fault will be 
declared redundant. For selected remaining faults, we apply the modification 
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of single stuck-at-fault redundancy identifications. One such method, based 
on the satisfiability (SAT) formulation of the problem is employed. 
Information on which replacements are to be probed by the SAT approach is 
provided by don’t care sets obtained in the first step. 

The controllability and observability analyses, such as SCOAP [56] and 
its successors, have been employed in guiding the ATPG branching 
heuristics. While such methods are quick and suitable for their intended 
application, when applied to redundancy detection, they can result in two- 
sided errors - the redundant faults might be proclaimed redundant or vice 
versa. Our proposal avoids this problem completely - irredundant faults will 
never be discarded as redundant. Since the error will be one-sided, we say 
that our approximations are safe. 

3.1 Using Local Don’t Cares 

We explicitly deal with local don’t care sets at a given node, and their 
complements - local care sets, defined as follows. 

Definition 14: A local don’t care set associated with a given circuit node 
constitute ofCDCs and ODCs associated with this node. A local care set 
(Careiocai) of a given node is the complement of the local don ’t care set. 

Note that DCs observed at the primary I/Os of the circuit are the global 
DCs associated with this circuit. 

Each replacement gate h that coincides with the original gate g on a local 
care set, Care/ocau st ^ given node, creates a redundant fault. 

Lemma 4: Let gate “g" he replaced with gate "h’’. By considering their 
respective ON-sets, and and local care set Careiwah replacement 
is redundant if: 



n Carei„,^i = h^^ n Care,^^, . 
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Correct Crcuit 




a) Irredundant ReplasemenI b) RedundanI ReplacemenI 



Figure 65: Example of a) Irredundant and b) Redundant Gate Replacement 

Fault 

Proof: Examine the local care set at a node. This set alone can be both 
excited and observed. By replacing gate g with gate h that coincides with g 
on the care set, the original function has not changed. Hence, the substitution 
is redundant. ■ 

Example 40: Consider replacement of an OR gate in Boolean network, 
assuming that the local don't care function is equal to the product of the two 
inputs to the gate, a * h, Figure 65. The gate replacement with AND gate 
will he irredundant according to Lemma 4. The replacement hy XOR gate. 
Figure 65. h, is redundant, as the assignment of inputs for which OR and 
XOR gate differ, a=h=\ is completely contained in don’t care .set. 




n Care 




Redundant Error 

a) b) 

Figure 66: Don't Care Set Influence on Replacement Errors 
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Figure 66 shows how a gate replacement error with ^ can 
become hard to detect or even redundant when a DC set overlaps the 
difference between the two. The DC set that partially intersects with the 
Boolean difference between and creates the irredundant error, as in 
Figure 66.a. Due to DCs, fewer test patterns might detect the erroneous gate 
h. The DC set that completely covers the difference between the two creates 
the redundant error. Figure 66.b. 

At this stage, we can identify some redundant fault by only following 
Lemma 4, and considering care sets associated with the conect and 
erroneous gate. The algorithm used is as follows: 

Generate CODC Approx, of DC set for the network 

for each fault {g h) 

{ 

obtain: (h r, Careapprox), {g n Careapo^,), 

/ = (h o CarSappiox) © (g Caraappm) 
if (ft CdtQapprox ~ ~ 9 Careapprox) 

{ 

dropJaulf(g h)\ 

} 

} 

Algorithm 5: Redundancy Identification Using Only DC 

Note that for all possible replacement faults, DC sets have to be obtained 
only once. They are often available as a by-product of a synthesis process. If 
we have the full don’t care sets, Lemma 4 provides us with the exact 
redundancy identification. However, practical schemes use only a subset of 
DCs, as shown in Section 3, compromising the overall results. This method 
is, in fact, the least computationally expensive from all the scenarios 
proposed in this section. Its main task is not to catch up all the redundant 
faults, but rather to eliminate from the fault list as many of them as possible. 
Then, other, more precise, but also more involved methods presented next 
are called significantly fewer times to address remaining fault suspected to 
be redundant. 

3.2 Using Testing • Single Minterm Approximation 

Since we employ subsets of don’t cares, not all redundant replacements 
will be detected by the previously described method. In fact, it is not 
possible to identify any more redundant faults based just only on the DC 
information at hand. Therefore, we have to employ more involved and more 
costly apparatus. In order to save the simulation time, we first pre-screen the 
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set of the faults that the previous method was not capable of addressing. 
From this set we select most likely candidates to be redundant, based on the 
information already obtained during don’t care calculation. Only then, the 
deterministic method is employed in the final step of identifying redundant 
faults. 

Definition J5: An approximated don’t care set associated with a given node 
is a set of local don't cares where ODCs are approximated with CODCs, 
while other DCs are exact. Correspondingly, an approximated care set 
(Careappna) ^f o given node is the complement of the approximated local 
don’t care set of this node. 

The approximated local don’t care set {DC^n>x) is a subset of the exact 
local don’t care set (DC/ocar) at a given node 

DC a DC, ,, 

while the Care„ppn, is the superset of the exact local care set of this node. 

Definition 16: The Hamming distance d '. x {0,l} ' 1—^ N between two 
Boolean functions “f" and "g” is defined as the number of minterms in 
which the.se functions differ. In other words, if “h’” is the weight function 
that repre.sents the number of minterms in a function, then 

Example 41: Consider two functions f = x*y +y*z and g = The 

Hamming distance is obtained by calculating first the Boolean difference 
between the sets of points for which the two functions are equal to 1. We 
refer to these sets as ON-sets, and label them as and . We use 
.symbol to denote the Boolean difference between two sets, which are 
calculated by XOR-ing their characteristic functions. 

=(x*y+y*z)®(x*y*z)=y*{x®z)=x*y*z+x*y*z. 



g = xy'z iq>g = xY2* x'y'2 





Figure 67: Example of Hamming Distance between Functions f and g 
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Therefore, weight of this function, i.e., the number of minterms for which the 
function is equal to one is 2, Figure 67. 

Consider the extension to the Hamming distance that is defined with 
respect to the care set at a node. The distance c/c,,,,. is equal to the number of 
minterms of the Boolean difference between the two intersections of 
functions with the local care set: 

Distance dcre is positive for redundant faults not detected by the use of 
Careappnm as well as for irredundant replacements. Our next task is to 
distinguish between these cases. The distances obtained by the exact and 
approximate local DC sets can be related, based on the size of these sets, by 
the following Lemma. 

Lemma 5: Thefollowing relation is true for the Hamming distances between 
gate "g" and its faulty replacement “h” calculated with the use of local 
and approximated {da/, DC sets: 

Proof: We rewrite the distance function in Equation (1) as: 

r^Car^ nCar^) - nCar^ . 

Since the approximated set is a superset of the exact local care set, i.e.. 

Care T^Care, ,, the distance from Equation (1) can only be larger 

approx - local ^ ^ ® 

for the approximated set. ■ 

The distance information provides the means to formulate further 

refinements to filter out the irredundant faults from those identified by 

applying Equation (1). If the distance is small, it is possible that the fault was 

redundant, but undetected due to DC subsets. 

Example 42: Consider a replacement error at node “h" of a circuit in 
Figure 68. 




Figure 68: Circuit with Replacement Fault at Node b 
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Assuming full controllability, the local DC set at node "h” consists only of 
ODCs. Equations describing original function f ODC and Careiocai-'’^i-^ tire 
shown in Table 18. 



Original Function f 


X, *x, + X| *xi + x, *x^ 


ODC, 


X, * X, + x^ 


Care, arc! 


odc;=x'*x 3 



Table 18: ODC and Care/ocot Sets for Node b in Figure 68 

Let L = [AND, NOR. NAND, XOR, XNOR] be the possible gate 
replacements, and let “W" denote the exchanging of input wires at node 
"b". Table 19 describes the effects of the replacement faults at node “h”. 
The first row includes the Hamming distances between the correct and faulty 
gates with no DC set taken into account. 





W 


XOR 


AND i 


NAND 


XNOR 


NOR 


D 


0 


1 


2 


2 


3 


4 


d n Care 


0 


1 


, 


1 


1 


4 


# vectors 


0 


1 


3 


3 


5 


6 



Table 19: Distances and Number of Vectors Detecting Errors for Circuit 

in Figure 68 

The Hamming distance, calculated according to Equation (1), is .shown in 
the second row of Table 19. The number ofte.st vectors detecting the fault 
(the third row) increases with the Hamming distance. 



DC sets that are practical to get are only subsets of the exact care sets. In 
actual calculations, using such approximations, the obtained distances with 
respect to the approximate care sets will differ from the exact case. 

Example 43: Consider the circuit from Example 42, where instead of using 
the exact ODC don't care .set ODCf, = JCj * A :3 + Xj, the approximate DC is 
X 2 X 3 . The influence of the exact and approximate don’t cares on the 
difference between the original and the replaced functions is summarized in 
Table 20. Please note that when the approximate DCs are used, the 
corresponding intersections ofON-sets are larger. 
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/ 


frxCare,^ 






X,+ (lj©7j) 




X,©Xj 


ft 


X,(X3©a^) 




x,Cx,®Xj) 


ft 9AND 






x,'(x; + ;4)+x,x;x; 


/, ffiW4WD 




x,x;x3 


x,(x^ + 4)+xJxix| 


ft WXNOR 




x;x;x. 


x[(.x^ + x^) 


ftONOR 
1 






x;*x; 



Table 20: Function Difference with Exact and Approximate DCs for 
Circuit in Figure 68 

Further redundancy identification can be parameterized by the nonzero 
distance 

n Care approx ) Care approx J < ^ (2) 

to guarantee that the s-a-v redundancy detections can be directly applied. For 
that, we define the class ofsingle-value faults. 

Definition 17: We say that the replacement fault that results in only one 
polarity (0 or 1) of faulted value at a gate output is a single-value f.r-i’-O or 
s-v-1) fault. For non-failing .stimuli, it behaves as a correct circuit, and can 
carry .signals of both polarities. 

Example 44: Consider a .substitution of a two-input AND with an XNOR 
gate. For input stimulus (0,0), it behaves as a .r-a-l fault at the output. 
Otherwise, it behaves as a correct circuit. Hence, this is a single-value 
replacement fault. 

Lemma 6: The gate replacement "h", that is within Hamming distance one: 

d n Carf n ^ 1 

results in a .single-value fault at the output. 

Proof: Since the functions differ in only one minterm, only one polarity of 
the fault can be present. ■ 





7. Identifying redundant gate and wire replacements 



159 



The implementation of this method is summarized by the pseudo-code as 
follows. Procedure d0tect_s-v_minterm(O solve single-value fault instances for 
corresponding replacements at a minterm 1. These instances can be solved 
using either a s-a-v ATPG or SAT. The overall algorithm only needs to calls 
this procedure upon a single-minterm fault- if it fails to produce a vector, the 
fault is redundant. We will give more thorough explanation in the following 
section using SAT formulation. 



if {d(l ~{h r\ Car©«^, q o CdfSappmn)) 1) 
{ /* i = 1 , 1 -Minterm approx. V 
if (detect_s-v_minterm(/)) 
drop_fault(g -* h); 



Algorithm 6: ! -Minterm Redundancy Detection 



3.3 Redundant Single Cube Replacements 

A closer approximation can be considered to detect more redundant faults 
while employing the modified s-a-v identifications. We will consider for 
redundancy check all these gate replacements, whose function distance from 
the correct gate is = 1 , where dc is measured in cubes, instead of minterras. 
Lemma 7: If the gate replacement “h " is within a single-cube distance, and 

if 

nCare^^^,,.^ > n Care^^p,.^, (3) 

then, the replacement is a single-value 0 fault. For a .single-value 1 fault, 
sign “< " is used instead. 

Proof: The functions in this case differ in more than one minterm. By 
inspecting the intersections with Careopprox< it follows from Equation (3) that 
the replacement is of the single value 0. The condition opposite to Equation 
(3) then holds for a single-value 1 replacement. ■ 

Theorem 9: Replacements satisfying Lemma 7 are redundant iff a .single 
stuck-at fault at the gate outputs is redundant for the single-cube input 
as.signment that distinguishes the two functions. 

Proof: (:^) Redundancy of such a replacement implies single stuck-at 
redundancy restricted to the input cube for which the functions differ. 
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(<^) If the s-a-v is redundant and only the input cube for which the functions 
differ is exercised, then we have a single-value replacement, which is 
redundant. ■ 

Example 45: Consider an error caused by replacing the 2-input OR gate in 
the circuit in Figure 68 with an XOR gate. The replacement forces a single- 
value 0 fault for a single cube (X| = 1, a = 1) assignment of its inputs. This 
fault can he tested as a s-a-Q fault with an additional constraint: X| = l, a~ 1. 

As a corollary to Theorem 9, single s-a-v redundancy identifications can 
be employed for cases of single-cube distance replacements. While one can 
apply various s-a-v approaches for single-cube redundancy detection, in our 
case we rely on SAT-based identifications, as explained next. 

if {dc(/t C3r6app«ai 9 Careapprox) 1) 

{/* / = 1, 1-Cube approx. */ 

If [h ri Cdregppmt ^ gr\ Csteanpm) 
if {detect_s-v-0_cube(i)) 
drop_fault(g h); 

else if {h r, Caresptm < g n Caresamx) 
if {detect_s-v-1_cube{i)) 
drop_fault(g h)\ 

^Algorithm 1: 1-Cuhe Redundancy Detection 



3.3.1 Use of SAT In Redundancy Identilleation 

Satisfiability formulation has been introduced to manufacturing testing 
by Larrabee in [82]. The targeted application was the automated test pattern 
generation (ATPG) technique for single s-a-v faults. Boolean function 
satisfiability works similarly to formula satisfiability problems described in 
Chapter 2. For each fault in a circuit, a conjunctive normal form (CNF) is 
constructed. Then, a product of sums (referred to as clauses) is satisfied 
when it is equal to one for all solutions, and finding one satisfying 
assignment amounts to obtaining a test vector. If there is no solution, i.e., if 
the expression is unsatisfiable, then the fault is redundant. 

The SAT formulation for singie-stuck-at fault redundancy identification 
and/or test generation consists of several types of clauses. Good circuit 
clauses represent the correct operation of the whole circuit. Faulty circuit 
clauses describe the effects of a single stuck-at fault on the downstream 
network nodes. Active clauses are introduced to give the activation 
conditions of a fault. Finally, the fault site and goal clauses describe the 
activation and observation of the fault. 
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Example 46: The following clauses are generated for a s-a-0 fault at node 
“h” of the circuit in Figure 68. The variables are associated with nodes in 
the network. Those with no subscripts are the good clause variables, “x", 
the faulty circuit variables at the .same node have the subscript ‘f’, as in 
“x/\ while the activation variables have the subscript “a". The conditions 
for which the individual clauses are created are placed in sauare brackets, 
Table 21. 



Good Circuit 
Clauses 

j 


|OR):(x, -b Xi)(A +a), 

|N AND] : (Xj + a -t- c)(a + cXXj + c), 

[AND]: (b +c A d)(b+ d){c+ cf), 

[XORj: (Xj -1- X, -t- a)(x, -I- Xj -i- a)(x, -f x, -t- a)(X 2 -t- x, -i- 5) 


Faulty Circuit 


[AND] : (by + d)(c + d)(d + by Ac) 


Active 

Clauses 


]Actlve=>(Good?^Faulty)): (6^ + b + by)(bg + h + by), 
]Active=>Output,]: (b„ + d„) 


Fault 

Location 


[Node b s-a-0]: b^bby 


Goal 


[Active Output]: d„ 



Table 21: SAT Clauses for Node b s-a-0 (Figure 68) 



A .solution to this SAT problem, e.g. the .satisfying input assignment jri = l, 
X 2 =Jfj =0 produces a test vector. 

This approach can be time consuming if applied to all faults. Next, we 
show how our DC-based algorithm can be used to filter out many cases of 
replacement faults. 

3.3.2 Passing Prt>ximity Information to SAT 

We can derive a SAT formulation for replacements not filtered by DCs 
using Lemma 6. The distance between the original and the replacement gate, 
as obtained by an approximated DC set, can be passed to SAT. This 
proximity information hence presents criteria for creating further 
approximations to the problem. 

By considering only single-cube distance replacements, as in Theorem 9, 
a simple and efficient SAT formulation is obtained. We first create a s-a-v 
instance corresponding to the polarity of the single-value faults according to 
Lemma 7. It is sufficient to add to that CNF the 1-Clauses that restrict the 
gate inputs to a single failing cube. 
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Generate CODC Approx, of DC set for the network 
for each fault (jf -* h] in faultlist 
{ 

Obtain: (ft n Care»i>pm), (g n Caregpprox). 

/ - (ft o Caraafiprox) © (g Caraapprox) 

if (ft o Cdiaappm “ “ g CareajjpTO*) 

{ n==0v 

drop_fault(g ft); 

. } 

if (d(ft o CafOapproxr g o Cara^prox) ““ 1 ) 

{/* I = 1, 1-Cube approx. 7 
if (ft C\ CarBapprox — g r~l Cdfaappiox) 
if (detect_s-v-0_cube(/)) 
drop_faull(g ft); 

else if (ft r\ Careapprox <gr, Careapprox) 
if(detect_s-v-1_cube(/)) 
drop_fault(g -v ft); 

} 

Algorithm 8: Approximate Redundancy Identification 



Example 47: To obtain a SAT instance for replacing the OR gate from 
Figure 69 with an XOR gate, clauses are added to restrict the inputs to their 
(single-cube) assignments that differentiate the gate functions. The following 
l-Clau.<:es are added to those for s-a-Q fault at node “ft” (Example 45). 

Additional clauses: [OR— » XOR Replacement InputsJrjtiO. 




Figure 69: Fan-out Stems for Calculation of Clauses 

If the original and replaced functions differ in one cube, say in k literals, 
only k 1-Clauses will be added. Adding each 1-Clause amounts to assigning 
the values to a variable throughout the CNF, i.e., restricting the search space 
by factor of 2. This contributes to a total reduction by a factor of 2*. Hence, it 
might be significantly quicker to find the solution to this problem than to the 
original s-a-v instance. 
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The approximate scheme for redundant gate replacement identification is 
outlined in Algorithm 8. After intersecting the original and replaced gates 
with the approximate care sets, their Boolean difference (®) is obtained. If 
the difference is empty, the fault is redundant, and is not simulated. If the 
difference is a single cube with properties from Lemma 7, a 1-Cube check is 
performed by s-a-v identifications, augmented with enforcing the 
distinguishing single-cube input assignment. If redundancy is not detected, 
the fault is assumed iiredundant and simulated by several lattice layer 
vectors. 



4. EXACT REDUNDANT FAULT IDENTIFICATION 



The previous solution had the advantage of reusing fast stuck-at fault 
methodologies, while possibly missing some redundant faults. Next, we 
present an all-SAT formulation that is exact. 

The SAT formulation uses the good circuit, faulty circuit and active 
clauses that are the same as in the standard single stuck-at SAT formulations. 
However, fault site clauses need to be modified in the following way. 

To describe the conditions for activating a fault, assignments of gate 
inputs must be such that g ^ h, regardless of the fault polarity. We create an 
auxiliary node that is equal to / = g © /j. Then, the fault location clause will 
assert its value to / = 1, as shown in Figure 70 on an example ofreplacing an 
OR with an XOR gate. 



Correct Clait 




CR2 replaced v«iXOR2 



Bquralent stnxure for 
SMcaloulatbn 



ANCCequ^ienf 

representation 



Figure 70: Exact SA T for a SGRE 
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Hence, a SAT-based formulation of the redundant replacement fault 
identification can be created by the addition of a node that differentiates the 
original and the replacement function, and by generating a clause that forces 
this gate to 1. A similar verification approach was presented in [20], where a 
comparison XOR gate is added to two complete circuit implementations. We 
note that such an j:ur calculation is substantially more involved. 

Example 48: To formulate a SAT instance for replacing the OR gate from 
Figure 68 with an XOR gate, clauses are added which restrict the inputs to 
the assignments that differentiate the gatefunctions. In this case, it is OR © 
XOR = AND, as shown in Figure 70. At the same time, as polarity of the 
fault is not known, the stuck-at fault clauses should he removed. 

Additional clauses: [OR — > XORReplacement ^AND]: 

(r, + 5 + 6)(j| + + h'j 

Removed clauses: [s-a-0]: hb/ . 



4.1.1 Preprocessing 

Since invoking SAT instances can be costly, the preprocessingsteps 
usually precede SAT procedures. Often, random simulations are applied. 
Only if they fail to distinguish the correct and faulty circuits, SAT is 
invoked. 

In our case, properties of the Arithmetic Transform (AT) vector set 
discussed in Chapter 5 can be exploited to surpass what is usually possible 
with random vectors. We have shown in Chapter 5 that by selecting the 
riog 2 (? + 01“ 1 layers of an input space Boolean lattice, any fault with less 
than a t term AT representation will be detected. A smaller number of such 
layers can be used for preprocessing. Upon their failure in detecting a fault, 
they can be passed to the SAT procedure, as non-satisfying assignments. 
This restricts the search space for satisfying assignments resulting in 
speeding up SAT. Unlike random vectors, this set has a very compact 
description. 



5. IDENTIFYING REDUNDANT WIRE 
REPLACEMENTS 

Wire replacements are relevant to both synthesis and verification. Many 
recent advances in synthesis are due to the rewiring approach, where 
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selected wires are chosen for the replacement, in an attempt to find a better 
implementation for logic at considered nodes. It is recognized [123] that the 
rewiring techniques depend critically on quick identification of wire 
replacement redundant faults. 

Rewiring or insertion of design-for-testability (DFT) feature such as 
scan, test points or Built-in Self Test (BIST) are post-synthesis steps, as they 
are performed on the originally synthesized netlist, and generally affect 
small areas of the design. They often require human interaction, and can 
potentially result in errors, such as wrong wire connections, missing/added 
wire, etc. Hence, there is an obvious need to verify whether such errors were 
introduced to the final netlist. In the remainder of this chapter we consider 
the detection of wire replacement errors in combinational networks. We 
restrict our approach to errors that do not create cycles, as cycles are easy to 
detect. 

Wire replacements can be classified into two categories. The first one 
deals with errors affecting I/O port connections. I/O ports in this context can 
be either primary I/O pins, or can represent ports of internal complex blocks 
(cores) such as adders in datapath architectures. Detection of such errors is 
discussed in detail in Section 7. The second category describes errors 
causing one or more internal wires in the circuit to be wrongly connected to 
nodes. We further distinguish two subtypes of such replacements. 

Definition 18: Single port wire errors {SPWEs) are the replacements 
affecting a single node in a netlist, such as added/missing wire and permuted 
wire at the input to a node, Figure 71. a. Internal wire interchange errors 
(IWIEs) are affecting multiple nodes in the netlist. IWIE errors include 
exchange of two nets, where the two single .stem nets are swapped to drive 
the sink node originally driven by the other net, as in Figure 71. h. 

Note that wire replacement errors, unlike gate replacements or s-a-v 
faults can affect a design at different levels of abstraction (from behavioral 
to gate-level). Wire replacement errors can involve multiple wires and 
change functionality of a given nodes. 
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Ongina! Netlisl Error Nellis! - Missing Wire 




Orgral Network Error Nells! - Ewhanged Wires h and i 




b) 

Figure 71: Wire Replacements: SPWE and IWIE 



A redundant wire replacement, similarly to redundant s-a-v and gate 
replacements, does not change the original function of the circuit. The 
polarity of an error caused by a replacement fault depends on stimuli, unlike 
a s-a-v fault, which permanently ties a signal to either 0 or 1. We construct 
new redundant fault identification methods to deal efficiently with such 
faults. 

5.1 Wire Replacement Faults and Rewiring 

Recently, there has been increased interest in ATPG-based rewiring 
schemes for logic optimization [28], [47], [123] and [134]. These schemes 
explore the fact that adding and removing redundant wires does not change 
circuit functionality, but may significantly reduce the circuit size. Further, 
implementation verification techniques based on design error simulations 
place special emphasis on wire replacement errors in a netlist. The wire error 
modeling and detection, as well as the redundant error identification, are 
used in such verifications and logic optimizations. Design errors are often 
the results of changes introduced manually or even during the automated 
synthesis [20]. The most common wire replacement errors belong to the 
design error models proposed in [8] and [3], 

Majority of rewiring techniques are based on s-a-v ATPG. However, as 
the wire replacement faults differ from s-a-v faults, and the redundant wire 
detection requires that both s-a-0 and s-a-1 faults at that wire are redundant, 
each identification of such a redundant wire requires two runs of ATPG. 
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Additionally, ATPG algorithms are optimized for quick deterministic vector 
generation, rather than for identifying the faults that are redundant. 

Similarly, verification by test vectors relies on full testability of all 
possible design faults considered. This application also critically depends on 
the ability to detect redundant faults from a fault model. 

5^ Detection by Don’t Cares 

Although single port wire errors and internal wire interchange errors 
affect the wires, the fault effects are observed at nodes to which the 
erroneous wires fan in. Therefore, the redundancies in wire replacements are 
caused by don’t care conditions, either observability or controllability don’t 
cares. 

"nie first redundant wire fault identification proposed here consists of two 
steps, both of which can be approximated, similar to gate replacement faults. 
First, we use the don’t care information in the network to screen out most of 
the redundant faults. The use of DC subsets guarantees that no irredundant 
fault will be declared as redundant. For selected remaining faults, in the 
second step, we apply the modification of single stuck-at-fault redundancy 
identifications. We employ a method based on the SAT formulation of the 
problem. Information on replacements that are to be probed by SAT is 
provided by don’t care sets obtained in the first step. All methods bares some 
similarities to the analogues ones proposed for identifying redundant gate 
replacements errors. 

Each replacement h that coincides with the original function g on a local 
care set Caretocai creates a redundant fault. 



cutwre 




T 



Bror-iMreReobcerriKt 

cutwre 




Nw Erroneous Wre ConrectKXB 



Figure 72: Internal Wire Interchange Error (IWIE) 

Lemma 8: Consider an interchange of two wires, Figure 72, driven by nodes 
N\ and Ni. performing functions f\ andfi, respectively. Let us denote ON- 
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sets of N\and Ni,hy f\^'^ and and local care sets ofN\andNihy Carem 

and Carers {before the exchange of nets Nt and N 2 ) and Care Vi and Care 
{after the exchange). The replacement is redundant if: 

Cr^Care,,=jf^nCare\, 

and 

f^'^nCare,,=f^^nCare',,. 

Proof : If the first relation holds, then the net cut at N, is redundant, as J\ at A^i 
is being replaced with the equivalent function ^ at net /V|, Consequently, if 
both equations are true, then cuts at N\ and N 2 , are redundant, and the overaU 
interchange is redundant. ■ 

Example 49: Consider a circuit and internal wire interchange errors in 
Figure 73, where nets “h” and “c" are replaced with their respective 
predece.s.sor nets. The local DC sets at nets "h" and “c” consists of 
oh.servahility DCs. The original function “/” and Careu>cai ttets are shown in 
Table 22. When a stem has multiple branches, the additional index is added 
to the branch, as with '‘a_\ ”, ‘‘a_g ” and ‘‘X} 2 " ■ The functions at the nets 
"a”, "b” and "c” are also given. Upon a replacement, the.se functions are 
interchanged, and we aim to detect the difference between the original and 
replaced functions, according to Lemma 8. 



Function 


f = Xi*X2 *X2 ■¥Xx*x'i+Xi*x'’i 


Caret, 


Carcf, = ODC'i, = X 2 +X 2 


CarCc 


CarSc - ODC'c =x\ +X 2 X 2 +■*’ 2^3 


Carea \ 


=-«iU2+4) 


CarCaj 


=-* 3(^1 +^ 2 ) 


Care,i_2 


Care^^^=X 2 x'^ + x'jXj 


h 


fb=Xi+X2*X2+X2* X2 


/c 


fc =^2 +^3 


fa 


fa ^X2X2+X2X'2 



Table 22: CareiomiSets for Figure 73 
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Figure 73: Circuit with IMEs 

5.3 Don’t Care Approximations 

Lemma 8 provides us with the exact redundancy identification given the 
exact don’t care sets. However, we use only the subset of DCs. ODC space 
requirements are principal, and we approximate them by compatible 
observability don’t cares (CODCs). The advantage of ODC subsets is that 
the replacements affecting multiple nodes do not change the COIX! value. 
CODCs, hence, are very suitable for multiple wire replacements. 

We recall from Section 3.1 that the approximated local don’t care set 
{DCapp,ox) is a subset of DC/ocai 

^^approx £ local > 

and that Careapproxf^ the superset of the exact local care set. 

Similar to gate replacements, we use the Hamming distance between two 
Boolean functions 

dcareW = w((g™nCar^ . 

Care set represents either Careio^ai or Careappmx for determining diocoi or 
respectively. 

Example 50: Consider the three faulty circuits (F.C.l through F.C.3)from 
Figure 73. Additionally, let “W" denote the permutation of input wires to 
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OR gate (node “h"). Table 23 describes the effects of these wire replacement 
faults. The first row includes the Hamming distances between the correct 
and faulty gates with no DCs taken into account. 





W 


F.C.l 


F.C2 ' 


F.C.3 


d 


0 


2 


6 


4 


doifv 


0 


1.2 


2,4 


2.3 


if vec 


0 


2 


3 


4 



Table 23: Hamming Distances (d) and Number of Vectors Detecting 
Error Gates for Circuit in Figure 73 

The Hamming distances of the intersection with local care sets, 
calculated at both affected nodes, are .shown in the second row of Table 23. 
The number of test vectors (the last row) increa.ses with the Hamming 
distance. The replacement "W" is redundant, and no vector detects it. 

Distance do,,,, is positive for redundant faults not detected by the use of 
Careoi<,,„Kx> as well as for irredundant replacements. Our next task is to 
distinguish these two cases. The distances by exact and approximate local 
DC sets are related by extending an argument from Lemma 5. 

Lemma 9: The following relation is true for the Hamming distances dj,„„iand 
dapp,x,x'for a single wire replacement between function “g" and its fault “h", 
calculated with the u.se of local and approximated DC .sets, respectively: 

The distance information is used for assessing the likelihood that a fault 
will be redundant without applying a complete redundancy identification 
scheme. Further checks can be parameterized by nonzero distance: 

Cl Carefih^^'^ n Care))<c. (4) 

The small distance replacements possess additional properties, useful in 
detecting redundant replacements. The distance-1 replacements can be 
detected by s-a-v identifications, as the fault will be of one polarity only. 

5.4 SAT for Redundant Wire Identification 

A SAT solver is used for our redundant wire identifications. Again, to 
test for a fault in a circuit, a special CNF form is constructed. The CNF 
expression is unsatisfiable if there is no solution, i.e., the fault is redundant. 
This product of clauses is equal to one for all solutions, therefore a satisfying 
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assignment is a test vector. The SAT formulation for a single s-a-v fault 
redundancy consists of the same four types of clauses as in Section 3.3.1. 
Good circuit clauses represent the correct operation of a circuit, faulty 
circuit clauses describe fault effects, active clauses give the activation 
conditions and the fault site and goal clauses describe the observation and 
detection of the fault. 

5.4.1 Approximate Redundancy Identification 

We can derive a SAT formulation for replacements not filtered by don’t 
cares using Lemma 9. The distance between the original and the replacement 
wire, obtained by approximate DC set, can be passed to SAT. This 
proximity information represents additional criteria for creating further 
approximations to the problem. 

By considering only the single-cube distance replacements, as in 
Equation (4), an efficient SAT formulation can be obtained. We first create a 
s-a-v SAT instance corresponding to the polarity of the single-value faults, 
according to Lemma 9. It is sufficient to add to CNF the 1-Clauses (clauses 
with one literal) to restrict gate inputs to a single failing cube. 

Example 51: To obtain a SAT instance for replacement F.CA from Figure 
73, we remove clauses identifying it as a s-a-0 fault at node ‘‘b’’. 

Removed clauses: [b s-a-0]: b„bb,-. 

The following I -Clauses are added to those for to restrict the inputs to 
single-cube assignments that differentiate the gate functions. 

Additional clauses: [Distinguishing wire ft from n]: x^a. 
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The approximate identification algorithm follows the outlines in 
Algorithm 8, used for redundant gate replacement errors, and repeated here. 
After intersecting the original and replaced wires with the approximate care 
sets, their Boolean differences (®) are obtained. If the differences are empty, 
then the fault is redundant and is not simulated (line 5). Otherwise, if the 
difference is a single cube with faults of one polarity, a 1-Cube distance 
check is performed by s-a-v identifications, augmented with the 
distinguishing single-cube input assignment (line 12 or 15). If redundancy is 
not detected, the fault is assumed irredundant and is simulated. 



6. EXACT WIRE REDUNDANCY IDENTIFICATION 

The approximate solution can employ fast stuck-at fault methodologies, 
while possibly missing some redundant faults. Next, we present an exact 
formulation. The good circuit, faulty circuit and active clauses are the same 
as in the standard single stuck-at-value SAT. However, fault site clauses will 
be augmented by a condition for activating a fault. For each node where 
function g is replaced by a function li is ^ # /t, we hence create an auxiliary 
node equal to / = g © /j. Then, the fault location clause will assert: I = 1. 

1 . Generate CODC Approx, of DC set for the network 

2 . for each fault (g h) in faulSist 

3 - { 

4. Obtain: (h n CareapproK). (g Careappra*). 

5. /“{/to CarSappnMf) ® (g O OarSapprox] 

6. if {/) r~i Car6approx ~ ~ g Careapp/ot) 

7. {/*/= = 0V 

8. drop_fault(g h); 

9- } 

10 . if(d{/?nCareapprti*,gnCareappw()==1) 

11. {/*l = 1, 1-Cube approx.'/ 

12 . if {h f~i Cat^epprox i g f~i Careppprox) 

13. if (detect_s-v-0_cube(/)) 

14. drop_fault(g h); 

15. else if {h n Caresppnx <gr\ Carepppm) 

16. if (detect_s-v-1_cube(/)) 

17. drop_fault(g -» /?); 

18. } 

19. } 

Algorithm 9: Approximate Redundancy Identification 
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Figure 74 depicts the SAT formulation that is applicable for any faults 
affecting two nodes in a netlist. 

In the case of internal wire interchange errors, when multiple nodes are 
affected, the same inequality is introduced for each node. The conditions at 
each node are or-sA to assert that the difference in the faulty and fault-free 
circuits has to be present in at least one of the nodes affected, as shown in 
Figure 74.b. Further optimizations are applied for replacements that do not 
create combinational cycles. 




a) Original circuit 




Figure 74: Exact SAT Formulation 

Lemma 10: Consider an internal wire interchange error (IWIE) at nets “g" 
and “h”, applied to acyclic combinational netlist that results in a faulty 
netlist that is still acyclic and comhinationai The activating condition for a 
fault is to xor the logic functions "g” and "h" of the two wires that are 
replaced. Then, instead of or-ing the two xor differences, considering only 
one difference is sufficient. 

Proof: If there is no path between g and h, the two differences are the same, 
and the lemma is proven. Assume, without loss of generality, that the node g 
is downstream from node h in acyclic combinational netlist. Then, the 
replacement at net g, will be activated by the condition 

/, A, 

since the function g is replaced by h. The second replacement, i.e., at net h, 
will, in general, affect aU the downstream nodes, including g, changing it to 
a function g|. Then, the condition for activating this wire replacement would 
be: 
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h = g\® h. 

However, notice that if g has changed, a combinational loop was created, 
and the circuit is cyclic, contradicting our assumption. Hence, the node g 
will not change i.e., g~ g\, and conditions at both nets affected will beg® /?. 
Then, the overall activation condition is: 

1] + h = (g ® h) + (g ^ h) = (g<S>h). 

Therefore, one xor-ing of the nodes affected is sufficient to describe the 
activating conditions. ■ 
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Figure 75: Simplification for Acyclic IWIE Faults 

Figure 75 depicts the application of Lemma 10 to the condition for IWIE 
faults that result in an acyclic netlist. 

Example 52: Consider again faults in Figure 73. For exact SAT formulations 
of these three faults, the activation conditions are created. According to 
Lemma 10, the original functions at the affected node pairs (the .second 
column in Table 24) are xor-ed with each other. The resulting conditions are 
.shown in the third column of Table 24. 

The overall SAT formulation consists of two parts. In addition to the 
clauses created for the .stuck-at-value fault at one of the nodes affected, new 
clauses are added to describe the activation condition. 
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Faulty Circuit 


Nodes 

compared 


Activation 

Condition 


F. C. 1 


a, b 


jri©Jt2©X3 


F. C.2 


a, c 




F. C.3 


xi,b 


-h X,X-,Xi 



Table 24: Activation Conditions for Faults in Figure 73 

For example, the SAT formulation for F.C.2 is created hy clauses for a 
(unspecified polarity) fault at node "c" (similar to those in Table 21), and hy 
additional clauses that assert the activation condition (third column in Table 
24): 

Additional clauses: [1 = X 2 +X 3 ]: (1 + X 2 + Xy)(x 2 + I)(Xi + l)l- 
For leaving polarities unspecified, the following clauses are removed: 

Removed clauses: [s-a-0]: cCj. 



7. I/O PORT REPLACEMENT DETECTION 

We now investigate conditions for detecting the replacements external to 
a block. Such port replacement faults are becoming increasingly important 
due to the IP core reuse trends. It was shown in [135] that the verification 
problems with IP core reuse can be addressed by testing for port replacement 
fault. Unlike previous work, we demonstrate that modeling such faults by 
Arithmetic Transform (AT) leads to their efficient detection. We again use 
Theorem 5 from Chapter 6 and that relates the number of test vectors to the 
error AT size. 

7.1 Detection of I/O Port Wire Switching Errors 

I/O port wire replacement errors happen when at least two ports of the 
design are wrongly connected, see Figure 76. These eirors are often caused 
by either manual intervention or the wrong connection declaration. A typical 
example is when ports of one block are declared as Little Endian, while ports 
of the other block are represented as Big Endian. In the case of an I/O port 
wire replacement error, it is easy to derive its error polynomial, i.e.. 
Arithmetic Transform of a difference between the fault-free and faulty 
circuit. Chapter 6. 
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Figure 76: I/O Port Wire Replacement Errors 

Definition 19: A Single Input Port Wire Replaeement Error {SIPWE) 
results in the erroneous connection of a single circuit input port to the wrong 
wire. Figure 76. 

Example 53: Let us consider the error caused hy interchanging two input 
wires, “k” and "I", of an N-hit adder, AT of the original, fault-free 

adder is: 



N-\ . N-[ N-\ 

AT{f) = AT{a + h)= I Oil’ + I 

/=0 (=0 /=0 

When the error f of interchanging two input port wires k and I (k < 1) is 
introduced, the error polynomial is: 

AT{e)^ATCf)-AT{f) = (ak +{a, +6^)2', 

As shown in Chapter 5, the error polynomials are not needed explicitly to 
obtain the number vectors required for their unique identification. We use 
rather the lower and upper bounds on the sizes of the possible error 
polynomials. The lower bound (switching only two inputs) is presented in 
Example 53. The upper bound, i.e., the case of wrongly connecting all the 
inputs, still results in a small AT. 

The same test vector set is applied to the faults within the netlist. It 
detects not only the faults resulting in t spectral coefficients, but also many 
faults resulting in larger error spectra. Since the error spectra cannot be 
simply bounded, unlike I/O wire faults, there is a number of faults that are 
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either hard to detect (and AT decoding vector set will consequently not 
detect them) or redundant. These faults are handled by our redundant wire 
replacement identification schemes. 



8. EXPERIMENTAL RESULTS 

The redundancy identification schemes have been implemented on an 
Apple PowerMac G4 with two 1.25GHz PowerPC processors and 512MB of 
main memory, under MAC OS X vlO.2 operating system. We used UC 
Berkeley SIS SAT solver and the BDD package for representing local don’t 
care subsets. No additional ATPG-related optimizations were applied. 
Experiments were conducted on MCNC benchmarks and arithmetic circuits 
(adders, multipliers, ALU and dividers). Results regarding gate replacement 
faults are reported in Section 8.1, while the results dealing with wire 
replacement faults are summarized in Section 8.2. 

8.1 Gate Replacement Experiments 

The proposed redundancy identification schemes were compared with 
respect to their running times and the performance. As we primarily employ 
our own AT-derived vectors, no direct assessment could be done with the 
other schemes. The exact redundancy identification finds all redundant 
errors for the benchmarks considered. Also, 1-Cube distance approximation 
performed almost as well. 

8.1.1 Minimum Distance Replacements 

The number of possible gate replacement faults is very large, as many 
gates can substitute the correct ones. The fault list size is significant 
impediment to the overall algorithm execution time. To investigate the 
reduction in the fault list and to better expose the performance of the 
proposed methods, we resort to worst-case modeling that allows us to 
discard many easily detected faults. 

Definition 20: We say that the gate “h" is the minimum distance (M.d) 

replacement 

min 

among all replacement candidates in set “L". If the DC sets are available, 
then the gates that have the smallest positive Hamming distance: 
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min nCare/,„,,,y^ r^Care;, ,,,,)> 0 

flel 

are used as the minimum distance replacements. 

To assess the efficiencies of the parts of Algorithm 8, several variations 
of the approximate redundancy identification were considered, as shown in 
Figure 77. They differ in the amount of DC subsets considered and in the 
application/omission of the 1-Cube distance s-a-v identification. 




c) d) 



Figure 77: Approximate DC Methods Used in Experiments 

In Table 25 we compare the fault coverage of typical gate replacement 
design errors obtained through AT test vectors and four methods from Figure 
77. The columns labeled as “Red” refer to fault coverage with no 
redundancy removal (as in Figure 77. a), while “CODC-SDC” coluiims 
show the coverage after removing redundancies using DC approximations 
that do not include the local SDC sets, as calculated in Section 3, (Figure 
77.b). The next two columns contain the coverage with the SDCs included 
(Figure 77.c), followed by the 1-Cube distance approximation (Figure 77. d). 
We present the cumulative results (“All”) of simulations where each gate in 
the network was replaced with all possible elements from the gate library. 
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The effectiveness of redundancy identifications is illustrated even better by 
the results obtained using the worst-case modeling (M.d). Note that Table 25 
demonstrates that the DC approximate methods are in relation, as in Figure 
63. Further, for all the cases, the 1-Cube (1-C) approximation identifies all 
the redundant faults, i.e., performs as well as the exact identification. The 
fault coverage is less than 100% in some cases only due to the AT test 
vectors. 

In Table 26 we summarize the coverage and simulation statistics for 
common arithmetic circuits using the exact identification. We notice that the 
actual number of simulation runs is small. The same statistics are given for 
MCNC benchmarks in Table 27. 



Circuit 


Size 


Red 


CODC-SDC 


CODC 


1-C 


AU 


M.d 


All 


M.d 


All 


M.d 


Look- 






84.7 


95.0 


85.2 


96.1 


88.5 


96.7 


ahead 




93.8 


85.2 


95.3 


86.1 


97.4 


88.6 


96.8 


Adder 




94.1 


86.1 


95.8 


87.0 


98.3 




96.8 




24 


993^ 


89.6 


99.2 


92.7 


99.2 


94.5 


95.1 




32 


99.5 


98.2 


99.3 


92.7 


99.3 


94.2 


94.7 


HH 


48 


99.6 




99.5 


92.7 


99.3 


94.4 


94.9 


CLA 

Divid. 


11x6 


88.2 


95.0 


97.4 




100 


100 




17x8 


87.6 


96.1 


97.4 


tam 


100 


100 




33x16 


89.8 


90.2 


98.6 


96.3 


100 


100 


IBW 


Array 

Divid. 


9x5 


78.7 


62.8 


96.3 


92.6 








11x6 


75.9 


63.7 


98.2 










13x7 


75.5 


64.3 


97.6 


94.9 









Table 25: Fault Coverage for Arithmetic Circuits: Impact of Redundant 
Gale Replacement Removal 



Circuit 


Size 


Gate Replacemetus 


Cov. 


faults 


Sims 


Vec. 


1 


24 


99.3 


191 


516505 


80 


ALU 


32 


99.5 


348 


1015996 


84 




48 


99.7 


736 


1424568 


87 




11x6 






8720 


45 


CLA 














17x8 






18834 


51 


Divid. 














33x16 






37792 


75 
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^ Gate Replacements 




Circuit 


Size 










Cov. j 


Faults 


Sims 


Vec. 








11x6 j 


100 


96 


1654 


17 


Aray 


17x8 ' 


100 


149 


2147 


18 


Divid. 


33x16 . 


100 


293 


4738 


20 



Table 26: Arithmetic Circuit Coverage with UTS (4 Lattice Layers) 



Circuit 


DC BDD 


Redund. Ic 


1 


Vectors 


. 

Size 


Time 


Red 

f'l 


Total 

[si 


Cov. 

f%] 


Faults 


Sims 


Vec. 


11 


180 


0.05 


0 


0 


94.4 


18 




10 


alu2 


2187 


0.40 


0.14 


3.27 




26 




15 


alu4 






4.51 


35.7 


95.9 


49 




30 


9symm 


1252 




0.04 


0.16 


97.5 


6 




m 


cordic 


401 








92.8 


28 




■ 


C499 


64547 








100 


la 




m 






m 






100 






B 


C1355 


176390 


153.7 






100 


68 




m 






218.4 


1.71 


2.11 


91.2 


98 




m 


C2670 


4401323 


217.8 


1,76 


4.16 


98.5 


330 


10088 


36 


C6288 


CO 


CO 


35 


55.9 


100 


705 


66003 


271 


C880 


30501 


5.31 


0.1 


0.47 


97.6 


188 


6005874 


106 



Table 27: Coverage, Running Times for Redundancy Identification and 
Simulation Statistics for Gate Replacement Faults on MCNC Benchmarks 



Second and third column of Table 27 stores data for comparing times 
spent on the redundancy identifications using DC approximations and exact 
SAT based on the time and space requirements for DC BDD constructions. It 
was assumed that DCs were not readily available in the circuit, as a by- 
product of, for example, synthesis. We report two time measurements for 
each benchmark. They allow us to determine bounds on the performance of 
any possible preprocessing before invoking SATs. Columns “Redund” and 
‘Total" report times spent on redundant and all SAT cases, respectively. 
They present the lower and upper bounds on SATs with respect to 
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preprocessing. We do not report separately the time required in different 
parts of SAT, as overall the routines are fast. The impact of passing the 
information between the BDD-based DC calculation and the SAT 
procedures is obtained by comparing the SAT times in these two cases. 
While HDDs perform worst with respect to their space complexity, 
preprocessing can reduce the time requirements of SAT. Further, included 
are the statistics on the total number of simulation runs (column “Sims”) as 
well as the number of vectors that is sufficient for the given coverage. This 
number is obtained by the greedy top-to-bottom traversal of the lattice 
layers. A more concise set could be found by applying a more optimal test 
set through the standard vector compaction techniques. All the 
improvements in modem SAT solvers, such as those from [86] can be 
equally used in both approaches. Any advances in structure-based s-a-v 
ATPG can be used towards speeding up the approximate methods. 



Circuit 


Exact SAT 


Pre-Sim SAT 




Redfs] 


Total[s] 


Cov.[%] 


Red[s] 


Total [s] 


im 








0 


0 








96.2 


0.12 


0.33 










3.88 


15.13 


9symm 


0.04 


0.16 


97.5 


0.03 


0.12 








92.8 












100 






C432 






100 


0.14 


0.16 


C1355 


1.99 


2.26 


100 


1.71.0 


1.82 


Cl 908 


1.71 


2.11 


91.2 


1.63 


1.96 


C2670 


1.76 


4.16 


98.5 


1.43 


3.69 


C62S8 

1 


35 


55.9 






45.6 


|C880 


0.13 


0.47 


97.6 


0.11 


0.36 



Table 28: Execution Time Benefit of Pre-processing (for Exact SA T) 



We notice that the approximate identification of DC conditions achieves 
almost complete coverage in roughly half the time of the exact SAT. 
Depending on the circumstances, either the exact or approximate redundancy 
identifications are appealing. 
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Further, as the test set vectors have a very simple structure (top layers of 
lattice) information on failing to detect the fault was passed to the exact SAT 
procedure, to speed it up (Figure 78. b) by pre-simulations that possibly 
detect many faults. These times are reported in the last two columns in Table 
28 in comparison to the plain exact SAT identification (first two columns). 
The coverage is the same in both cases. 





a) 



b) 



Figure 78: Exact SA T Methods Used in Experiments 

8.2 Wire Replacement Experiments 



We next report the wire replacement fault coverage with AT test vectors 
generated among the four top lattice layers. The proposed schemes were 
compared with respect to their running times and the performance. While 
exact identification finds all redundant errors, the approximation performed 
almost as well. Results for arithmetic circuits are reported in Table 29. 



The results for MCNC benchmarks are shown in Table 30. Included in 
the results for both arithmetic and MCNC circuits are the statistics for the 
vector set that suffices to guarantee this coverage (the last column), as well 
as the total number of vectors simulated until the coverage was achieved 
(column “Sims”). 
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Wire Replacements 




Circuit 


Size 










Cov. 


Faults 


Sims 


Vec. 








24 


100 


1570 


912585 


205 


ALU 


32 


100 


2643 


1618214 


244 




48 


100 


3231 


2103455 


251 




11x6 


100 


1012 


1274 


68 


CLA 


17x8 


95,9 


2232 


1683 


76 


Divid. 


33x16 


94.1 


4121 


10514 


97 


Array 


11x6 


100 


825 


753 


7 


17x8 


100 


1043 


958 


7 


Divid. 


33x16 


100 


1964 


1168 


8 



Table 29: iVire Replacement Results for Arithmetic Circuits 



Circuit 


DC BDD 


Redund. Id. 


Vectors 


1 

Size 


Time[s] 




■31 




Sims 


Vcc. j 


alu2 






0,137 


100 


m 




■ 


alu4 


2849 








737 


2958 


15 


9symm 


2884 












19 


cordic 


926 






100 


219 


36128 


28 


jC499 


73120 


4.581 


2.484 




946 


123231 


m 




271463 


6.258 


2.177 




927 




43 ' 


C1355 




123.88 


7.359 




1407 






C1908 


120999 


185.40 


10,181 


90,4 


818 


2722549 


96 


C2670 




213.56 


6.23 


99.9 


436 


45023 




C6288 


OO 


oc 






1852 


145402 


m 




36406 


4.419 


0.56 


97.0 






89 


My adder 












3605 


14 



Table 30: Coverage, Times and Simulation Statistics for Wire Replacement 

Faults 
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8.2.1 True Fan-in Acyclic Replacements 

The number of possible wire replacement faults is very large. To better 
expose the performance of the proposed methods, we resort to modeling that 
allows us to discard many easily detected faults and concentrate on those 
that are more likely to be redundant. 

Definition 21: say that the wire interchange of two wires "w ” and "e ”, 

driven by nodes and Ni, performing functions f andfi, respectively, is the 
true fanin acyclic (W.tfi) replacement if: 

}. W| and / 9^ 

2. iV| is in the true fanin ofNi- 

3. network is acyclic after the interchange. 

This definition regards the replacements as in Figure 72, where the wire 
is substituted with a wire from its fanin input cone, as shown by the shaded 
area. 



Circuit 


# 

Inputs 


Fault Coverage 


%1 


3 layers 


4 layers 


5 layers 


C1355 


41 


71.8 


100 


100 


C17 


5 


100 


100 


100 


C1908 


33 


80.1 


85.2 


99.1 


C3540 


50 


96.7 


99.2 


99.2 


C432 


36 


100 


100 


100 


C499 


41 


71.8 


100 


100 


C6288 


32 


100 


100 


100 


C880 


60 


85.0 


85.0 


97.1 


alu2 


10 


100 


100 


100 


alu4 


14 


100 


100 


100 


apex7 


49 


89.4 


95.2 


99.8 


count 


35 


79.8 


99.9 


99.9 


Mv adder 


33 


96.6 


96.6 


96.6 



Table 31: SIPfVE Coverage Experimental Results 



While DCs perform worst with respect to their space complexity, 
preprocessing can reduce the time requirements of SAT. Table 31 and Table 
32 show the fault coverage of SIPWE faults for MCNC benchmarks and 
arithmetic circuits. In the latter table, vectors among 4 layers were used. 
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8.3 SAT vs. ATPG 



Our approach to redundant faults was based on incorporating relevant DC 
circuit conditions to speed up the redundancy identification process. The 
soundness of such a solution is based on the fact that all redundancies in a 
given circuit are caused entirely by DCs associated with the design and 
synthesis process. 



Circuit 


' Size 


DC 


SAT 


Ripple 


12 


72.8 


72.8 


Adder 


16 


72.8 


73.4 




24 1 


73.9 


77.9 


Look-ahead 


12 


72.0 


75.7 


Adder 


16 


68.5 


72.1 




24 


76.1 


79.7 


ALU 


10 


99.7 


100 


12 


99.7 


100 


CLA 

Divider 


9x5 


100 


100 


11x6 


94.8 


94.9 


13x7 


91.4 


88.1 


Array 

Divider 


9x5 


100 


100 


11x6 

13x7 


100 

100 


100 

100 



Table 32: Wire Replacements in Arithmetic Circuits 



As “the execution engine” of proposed approach we selected SAT 
formulation. However, the approximation algorithms can be equally easily 
incorporated into a structure-based ATPG scheme. Similarly to the SAT 
solution, all improvements to the ATPG can be applied to speed up the 
procedure. 

Further optimizations could enhance the SAT implementation of the 
redundancy identification as well. For example, the true circuit clauses could 
be constructed only once, for all the faults injected in a given circuit. 
Currently, they are re-created for every fault. 



9. CONCLUSIONS 

In this chapter we considered verification by test vectors. Under a fault 
model that includes gate and wire replacements, there are many redundant 
faults. These redundancies seriously impact the verification scheme. 
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Simulation overhead and the confidence in fault coverage could suffer and 
create an obstacle in the practicality of these verification methods. 

We proposed several methods for redundant fault identification. These 
methods differ in the level of approximation to the problem. While the exact 
SAT-based solution is practical, we showed that the consideration of 
replacements that are within a single-cube distance from the replaced gate 
provides almost complete redundancy identification by the use of standard s- 
a-v methods. In the latter, we use the CODC subsets of local don’t cares to 
reduce the number of cases considered and to provide distance information. 
Further preprocessing to SAT procedures that exploits the properties of the 
test set is demonstrated. Figure 63 relates the proposed methods. Both 
approaches can benefit from improvements in underlying SAT and structure- 
based s-a-v methods. The approximate construction can completely avoid 
the use of SAT solvers and rely instead on single stuck-at fault detection. 

To speedup the exact method of detecting replacement errors, we applied 
in the preprocessing phase test sets obtained by Arithmetic Transform. 
Additional help in simplifying the verification effort came from the 
reduction of the fault list by methods such as the worst-case modeling 
(Section 8.1.1 and Section 8.2.1). 

The results presented in this work can be extended in future to broader 
classes of replacement faults and their redundancy identification. Also, we 
believe that sequential and high-level design verification schemes can 
benefit from methods presented here. 




Chapter 8 

CONCLUSIONS AND FUTURE WORK 



1. CONCLUSIONS 

Integrated circuit design, test and verification are reaching unprecedented 
complexity. As integrated circuit complexity keeps increasing, real 
challenges arise regarding both the quality and the speed of development. 
Very narrow time-to-market constraints are necessitating a new, integrated 
approach to design, verification and test flows. In this book we presented the 
tools and techniques designed to simplify verification of gate-level designs. 

Starting from system specification, and ending with manufacturing test, 
verification is often an ad hoc process due to its complexity, and in 
consequence inability to apply fast deterministic solutions. Similarities to 
synthesis and testing are promising, and prompt to look for fast solutions 
among existing algorithms from these areas. However, the incorporation of 
verification solutions into design and test tools often proves to be more 
complex than initially assumed. Additionally, such created verification tools 
may not have the required capabilities. Ignoring the complexity of a task, 
sometimes managers responsible for the overall product place an emphasis 
on testing, and require that the verification of circuits at the later stages of a 
design flow be easily derived from manufacturing test vectors. In many 
cases, lack of time and resources prohibit design teams to venture from 
traditional verification by simulation into more esoteric formal methods. 
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Hence, the need for a robust verification scheme motivates research 
leading towards integrated tools for verification at different levels of 
abstraction that share information within design flow. As this book deals 
with the low-level (netlist) verification, then we specially emphasize 
pressing issues of integration of various verification approaches with 
manufacturing testing. Due to incompatibility of the circuit representations 
used in formal methods, simulations and manufacturing testing, this goal is 
not feasible for most available tools. We proposed circuit and error 
representations that work well with both formal and simulation schemes. 

Primarily, we addressed simulation-based approaches, which are the 
most popular among verification methods. The main deficiency of 
simulations comes from the fact that the verification is only as good as the 
fault model used. In practice, vectors are often selected pseudo-randomly or 
manually to excite all the blocks of interest - there is a lack ofthe systematic 
classification and sizes ofthe error lists are often prohibitive. 

In the main part of this book, we address the major problems of 
simulations, i.e., inadequate fault models, and large vector sets. The first 
issue, although particularly attributed to functional errors committed at 
initial stages of a design flow, is still not fully resolved for gate-level faults. 
The second problem is characteristic to netlist faults, and due to large-size 
and incompatible error classes. To alleviate these difficulties, we introduce 
an implicit error modeling based on Arithmetic Transform. For example, at 
the netlist level, each implicit error can potentially represent many explicit 
gate and wire replacements; the same is true for other functional error types. 
Therefore, a detection of an implicit error can often signify more than a 
single explicit fault. This property is particularly beneficial at early stages of 
a design flow, when circuits contain many faults. 

Our first set of contributions lie in verifying circuits at a gate level using 
simulation methods. Although simulations are still the most commonly used 
form of gate level circuit verification, they are not free from insufficiencies. 
As there are many possibilities for potential design errors, we examined the 
commonly studied error models. We proposed an alternative in implicit 
modeling and have examined benefits and drawbacks of such a solution. An 
implicit representation of these errors in terms of Arithmetic Transform was 
chosen due to the fact that AT is already used in some formal verification 
schemes, and is compact for most datapath circuits of interest. It was shown 
that such an implicit model allows testing by applying Universal Test Set 
(UTS). In fact, we prove even more in a key theorem (Theorem 1 in Chapter 
6). We have shown that the design error diagnosis and correction are 
possible for a vector set that is derived based on the size of an error 
measured in the number of an error AT coefficients. In consequence, we 
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proposed a test generation scheme based on AT, which is of minimal size for 
the given class of errors. 

The sets of gate and wire replacement errors are even further 
superficially enlarged by redundant errors. Therefore, the identification of 
such errors and their removal from the fault list is mandatory in efficient 
simulation-based verification. By recognizing the fact that all redundancies 
are caused by don't care conditions in a circuit, we presented the new 
schemes for identifying redundant gate and wire replacements based on the 
approximate determination oi don't care sets. These approximations are safe 
in the sense that no irredundant fault will be discarded as redundant. 
However, when aU the fast approximations fail to recognize some redundant 
faults, we suggest an exact method for their identification based on 
satisfiability (SAT). In the end, our approach in some cases reduces to 
redundant single stuck-at-value (s-a-v) fault identifications. Going along this 
line, we further identify conditions under which fast s-a-v methods can be 
employed. In this way, we can benefit from a substantial wealth of different 
methods elaborated over the years for fast identification of singe s-a-v 
redundant faults. The execution time of the proposed algorithms is finally 
reduced by a new preprocessing scheme, which takes advantage of 
properties of AT in reducing the required number of redundancy 
identifications. 



2. FUTURE WORK 

Verification methods, both simulation-based and formal ones are still an 
open chapter. A substantial effort from industrial side and academia is 
required in order to solve many burning issues, such as: fault models and 
compact test sets for simulations, efficient data representation, simplification 
and larger-scale automation of formal methods. However, even if it were 
possible to address all of the above issues, then newly emerging technologies 
would bring with them some new challenges to the existing verification 
procedures. The new technologies and increasing circuit integration will 
require new classes of errors, not seen in the present circuits. Therefore, 
there is substantial work that can still be done in expanding issues addressed 
in this book. This is true for simulation-based verification, formal methods, 
and especially for a variety of combinations that are possible once the 
common data structures and the circuit representations ate in place. 

In pursue of fresh solutions we should always investigate new paths, even 
these, or maybe particularly these, which do not belong to the main stream. 
One such example is the application of harmonic analysis to integrated 
design/verification/test flow. In this book we extensively use Arithmetic 
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Transform, which is one of the spectral methods. Further investigations of 
the application of this and other transforms to circuit verification, as well as 
proving strong relations among them (for example, between AT and Walsh- 
Hadamard Transforms) may not be trivial, however beneficial 

Further studies of error models, their relevance to design verification and 
the apparent convergence in the types of faults could be conducted. In 
particular, the deep-sub-micron manufacturing faults show signs of 
becoming close to the classes of design faults, and the methods proposed 
here could be applied to manufacturing fault testing as well. 

In the area of formal verifications, results presented in [102], [107] 
encourage advance research on the suitability of AT and the derived 
transformations for compositional verification, especially when Intellectual 
Property (IP) cores are used. It would be helpful if a set of appropriate 
benchmarks were devised to quantify the quality of such methods. 

We believe that the greatest opportunities in verification lie in the 
combination of the two approaches: simulation-based and formal. A study of 
suitable data structures and their concrete implementations would nicely 
complement the research presented here. 
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Appendix I: Check Matrix Hr ~ Auxiliary Lemma and 
Preliminaries 



In this Appendix we prove the error correcting properties of Arithmetic 
Transform and matrix H,, introduced in Section 2.2, Chapter 5. The check 
matrix Hr is obtained from the inverse AT transform matrix by selecting the 
evaluation points belonging to r+1 top lattice layers, where the inverse of 
AT matrix is defined as; 

Tn'-l 0 ■ 

7 1— 1 I 

By multiplying T„ * T~^ = /, we verify the correctness of Tn' ■ 




Let us first consider an example of n = 3 and two top layers, i.e., the points 
taken are 111, Oil, 101 and 110. The check matrix H\ is then obtained from 
Tj"' as: 




! 


1 


1 


1 


0 


0 


0 


0 


1 


1 


0 
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1 


1 
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1 


0 


1 


0 


1 


0 


1 


0 


I 


1 


1 


1 


1 


1 


1 


1 



By considering columns 4, 6, 7 and 8, we observe that the maximal number 
of independent columns, i.e., matrix rank, is 4. Notice that not every four 
columns are independent, such as columns 5, 6, 7 and 8. However, any three 
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columns are independent, thus the minimum number of independent 
columns is three. The structure of the matrix is such that the minimum 
number can be found by inspecting the last (tailing) three columns, i.e., 5, 6 
and 7, [111], 

By taking one more, i.e., (r +2)'^' lattice layer, the corresponding rank of 
Hr*\ is always equal to the number of rows, whereas the minimal number of 
independent columns is claimed to be This statement can be verified 

by considering the columns, corresponding to the points considered. 
For example, adding one more layer Xo H\ results in a matrix: 

'l 1 0 0 0 0 0 

i 0 I 0 0 0 0 

1 I I 1 0 0 0 

//2 = 1 0 0 0 1 0 0 

1 1 0 0 i I 0 

1 0 1 0 I 0 I 

1 I 1 1 1 I 1 

Here, the minimal number of independent columns is seven. In general, 
this number increases every time a new layer is added, and is equal to the 
largest subspace contained in the tailing columns. The fact that the diagonal 
entries of the matrix //,. are one ensures that the tailing columns are sufficient 
to consider, as the columns ahead cannot be linearly dependent to any tailing 
column. By inspecting H\ and Hi, we notice that the number of tailing 
columns considered is 2**', for k layers, and that the first of these 2*" tailing 
columns is dependent on the rest. Hence, when a consecutive layer is added 
to Hk, a new 2*"^' vectors are added to the independent set of columns. 

We are now ready to formally prove the lemma, which states that the 
minimum number of independent columns of H, bears no relation to the 
number of function variables «. 

Lemma 11: Matrix H,- has at least 2"^^ A independent columns. 

Proof {by induction) : 

Base step: we showed that for the case li: = 2, the minimal number of 
independent columns is 2*^'-l. 



0 

0 

0 

0 

0 

0 

1 
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Induction step: for + 1 layers, the minimal number of independent 
columns is equal to those for k layers, to which new 2**^* columns are added. 
Then, the total number of independent columns is: 

2^'_1 + 2 *^' = 2**^- 1 = B 




Appendix II: Auxiliary Results in Relating AT and WHT 



Lemma 12: Thefollowing relations hold: 

1) The sum of column entries of A„ = T^ -T^'^ is 2"-\for the (2"-l)"' 
column, and 0 otherwise 

2) The sum of column entries of = is 2"+\for the (2”-!/* 

column, and 0 otherwise. 

Proof: 1) Sum of columns in A„ is generated by observing (as from matrix 
A3, without loss of generality) that the number of entries that are 1 and - 1 are 
the same in all columns, except in the last one, where there is 2"-l ones in 
the column. 

2) Sum of columns in B„ is obtained by using Case 1 and the identity: 

Then, the sums of the elements in the columns can be calculated by 
summing the matrices A„ and B„ matrices independently. Notice that the sum 

of row entries in T„ is 1 for the last column and 0 otherwise. Then, the 

sum of the entries in the last column of is 2” - 1 + 2* 1 = 2” + 1 , ■ 

Theorem 2: The .sum S(T^) of all spectral coefficients of Walsh-Hadamard 

Transform is always 2” times larger than the sum of all Arithmetic- 
Transform coefficients. 

Proof: Using Lemma just proven, the sum S(A„ ) , where A„ =T^ - , 

reduces to: 

2"-' 2"-2 2"-l 

Ifj l (Jt 2 fj T. erf 

y=0 1=0 j=0 (=0 

+ /,, - 31 ,^’’) = 0 + ( 2 " -!)•/,, , 

/=0 
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After obtaining, in the same way, that S'(5„) = (2" + the 

following relations hold between S{A^) and S{B„) (subscripts indicating 
size are omitted and replaced with the matrix entry indices): 

2"-l , 2"-12"-l 

Z(4 V)= Z ZV; = (2"- !)•/,. , 

t =0 ;=0 ;=0 

2»-l 2"-l2"-l 

Z(cf«, )= Z ZV.=(2" + >)•/,. 

(=0 (=0 ;=0 

which can be solved as a system of linear equations in sums of cj 's and 
cf's: 

2"-' i. 2"-l _ 

lcf=2’’>/ and = 

/=0 ^ ‘ i =0 ^ ' 

and finally, the sums of spectral coefficients relate as: 

2'’-! 2" -I 

1=0 >=0 
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